Prepare release v2.7.0-rc2

Merge v2.6 into v2.7
Prepare release v2.6.3
2022-03-29 17:00:09 +02:00 · 2022-03-29 15:43:10 +02:00 · 2022-03-29 15:00:09 +02:00 · 2022-03-28 18:18:08 +02:00 · 2022-03-28 17:36:07 +02:00 · 2022-03-28 16:22:10 +02:00
537 changed files with 36189 additions and 28581 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.5
+- for Traefik v2: use branch v2.6

 Bug fixes:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.5
+- for Traefik v2: use branch v2.6

 Enhancements:
 - for Traefik v1: we only accept bug fixes
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -8,7 +8,7 @@ on:
 env:
  GO_VERSION: 1.17
  CGO_ENABLED: 0
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -23,8 +23,8 @@ jobs:

      - name: Build webui
        run: |
-          make generate-webui
-          tar czvf webui.tar.gz ./static/
+          make clean-webui generate-webui
+          tar czvf webui.tar.gz ./webui/static/

      - name: Artifact webui
        uses: actions/upload-artifact@v2
@@ -66,9 +66,6 @@ jobs:
          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: Artifact webui
        uses: actions/download-artifact@v2
        with:
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -44,7 +44,7 @@ jobs:
          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}

      - name: Apply seo
-        run: $HOME/bin/seo -path=./site
+        run: $HOME/bin/seo -path=./site -product=traefik

      - name: Publish documentation
        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -7,7 +7,7 @@ on:

 env:
  GO_VERSION: 1.17
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -39,8 +39,8 @@ jobs:
          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-test-unit-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - name: Avoid generating webui
+        run: touch webui/static/index.html

      - name: Tests
        run: make test-unit
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -7,9 +7,9 @@ on:

 env:
  GO_VERSION: 1.17
-  GOLANGCI_LINT_VERSION: v1.43.0
+  GOLANGCI_LINT_VERSION: v1.45.0
  MISSSPELL_VERSION: v0.3.4
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -41,15 +41,15 @@ jobs:
          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-validate-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}

      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}

+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
      - name: Validate
        run: make validate

@@ -81,9 +81,6 @@ jobs:
          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-validate-generate-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: go generate
        run: |
          go generate
--- a/.gitignore
+++ b/.gitignore
@@ -5,10 +5,8 @@
 .DS_Store
 /dist
 /webui/.tmp/
-/webui/static/
 /site/
 /docs/site/
-/static/
 /autogen/
 /traefik
 /traefik.toml
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -48,6 +48,59 @@
    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+    composeapi = "github.com/docker/compose/v2/pkg/api"
+
+  [linters-settings.revive]
+    [[linters-settings.revive.rules]]
+      name = "struct-tag"
+    [[linters-settings.rules]]
+      name = "blank-imports"
+    [[linters-settings.rules]]
+      name = "context-as-argument"
+    [[linters-settings.rules]]
+      name = "context-keys-type"
+    [[linters-settings.rules]]
+      name = "dot-imports"
+    [[linters-settings.rules]]
+      name = "error-return"
+    [[linters-settings.rules]]
+      name = "error-strings"
+    [[linters-settings.rules]]
+      name = "error-naming"
+    [[linters-settings.rules]]
+      name = "exported"
+    [[linters-settings.rules]]
+      name = "if-return"
+    [[linters-settings.rules]]
+      name = "increment-decrement"
+    [[linters-settings.rules]]
+      name = "var-naming"
+    [[linters-settings.rules]]
+      name = "var-declaration"
+    [[linters-settings.rules]]
+      name = "package-comments"
+    [[linters-settings.rules]]
+      name = "range"
+    [[linters-settings.rules]]
+      name = "receiver-naming"
+    [[linters-settings.rules]]
+      name = "time-naming"
+    [[linters-settings.rules]]
+      name = "unexported-return"
+    [[linters-settings.rules]]
+      name = "indent-error-flow"
+    [[linters-settings.rules]]
+      name = "errorf"
+    [[linters-settings.rules]]
+      name = "empty-block"
+    [[linters-settings.rules]]
+      name = "superfluous-else"
+    [[linters-settings.rules]]
+      name = "unused-parameter"
+    [[linters-settings.rules]]
+      name = "unreachable-code"
+    [[linters-settings.rules]]
+      name = "redefines-builtin-id"

  [linters-settings.gomoddirectives]
    replace-allow-list = [
@@ -56,6 +109,7 @@
      "github.com/gorilla/mux",
      "github.com/mailgun/minheap",
      "github.com/mailgun/multibuf",
+      "github.com/jaguilar/vt100",
    ]

 [linters]
@@ -100,6 +154,8 @@
    "nilnil", # not relevant
    "ireturn", # not relevant
    "contextcheck", # too many false-positive
+    "containedctx", # too many false-positive
+    "maintidx", # kind of duplicate of gocyclo
  ]

 [issues]
@@ -155,3 +211,9 @@
 [[issues.exclude-rules]]
    path = "pkg/log/deprecated.go"
    linters = ["godot"]
+ [[issues.exclude-rules]]
+    path = "(.+)\\.go"
+    text = "struct-tag: unknown option 'inline' in JSON tag"
+ [[issues.exclude-rules]]
+    path = "pkg/server/router/tcp/manager.go"
+    text = "Function 'buildEntryPointHandler' is too long (.+)"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -12,7 +12,8 @@ builds:
      - CGO_ENABLED=0
    ldflags:
      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
-
+    flags:
+      - -trimpath
    goos:
      - linux
      - darwin
@@ -25,6 +26,7 @@ builds:
      - arm
      - arm64
      - ppc64le
+      - s390x
    goarm:
      - 7
      - 6
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -25,49 +25,30 @@ global_job_config:
      - export "PATH=${GOPATH}/bin:${PATH}"
      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.43.0
-      - curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
-      - go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.45.0
+      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
      - checkout
      - cache restore traefik-$(checksum go.sum)

 blocks:
-  - name: Test Integration Container
+  - name: Test Integration
    dependencies: []
    run:
      when: "branch =~ '.*' OR pull_request =~'.*'"
    task:
      jobs:
-        - name: Test Integration Container
+        - name: Test Integration
          commands:
            - make pull-images
-            - mkdir -p static # Avoid to generate webui
-            - PRE_TARGET="" make binary
-            - make test-integration-container
+            - touch webui/static/index.html # Avoid generating webui
+            - IN_DOCKER="" make binary
+            - make test-integration
            - df -h
      epilogue:
        always:
          commands:
            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod

-  - name: Test Integration Host
-    dependencies: []
-    run:
-      when: "branch =~ '.*' OR pull_request =~'.*'"
-    task:
-      env_vars:
-        - name: PRE_TARGET
-          value: ""
-      jobs:
-        - name: Test Integration Host
-          commands:
-            - mkdir -p static # Avoid to generate webui
-            - make test-integration-host
-      epilogue:
-        always:
-          commands:
-            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
-
  - name: Release
    dependencies: []
    run:
@@ -83,8 +64,8 @@ blocks:
        - name: GH_VERSION
          value: 1.12.1
        - name: CODENAME
-          value: "livarot"
-        - name: PRE_TARGET
+          value: "epoisses"
+        - name: IN_DOCKER
          value: ""
      prologue:
        commands:
@@ -92,6 +73,8 @@ blocks:
          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox # Remove unnecessary data.
+          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
      jobs:
        - name: Release
          commands:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,243 @@
+## [v2.7.0-rc2](https://github.com/traefik/traefik/tree/v2.7.0-rc2) (2022-03-29)
+[All Commits](https://github.com/traefik/traefik/compare/v2.7.0-rc1...v2.7.0-rc2)
+
+**Documentation:**
+- **[hub]** Fix Traefik Hub TLS documentation ([#8883](https://github.com/traefik/traefik/pull/8883) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Merge current v2.6 into v2.7 ([#8899](https://github.com/traefik/traefik/pull/8899) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.6.3](https://github.com/traefik/traefik/tree/v2.6.3) (2022-03-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.2...v2.6.3)
+
+**Bug fixes:**
+- **[plugins]** Fix slice parsing for plugins ([#8886](https://github.com/traefik/traefik/pull/8886) by [ldez](https://github.com/ldez))
+- **[tls]** Return TLS unrecognized_name error when no certificate is available ([#8893](https://github.com/traefik/traefik/pull/8893) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.7.0-rc1](https://github.com/traefik/traefik/tree/v2.7.0-rc1) (2022-03-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0-rc1...v2.7.0-rc1)
+
+**Enhancements:**
+- **[consulcatalog]** Watch for Consul events to rebuild the dynamic configuration ([#8476](https://github.com/traefik/traefik/pull/8476) by [JasonWangA](https://github.com/JasonWangA))
+- **[healthcheck]** Add Failover service ([#8825](https://github.com/traefik/traefik/pull/8825) by [tomMoulard](https://github.com/tomMoulard))
+- **[http3]** Configure advertised port using h3 server option ([#8778](https://github.com/traefik/traefik/pull/8778) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Upgrade quic-go to v0.25.0 ([#8760](https://github.com/traefik/traefik/pull/8760) by [sylr](https://github.com/sylr))
+- **[hub]** Add Traefik Hub Integration (Experimental Feature) ([#8837](https://github.com/traefik/traefik/pull/8837) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s/crd,k8s]** Allow empty services in Kubernetes CRD ([#8802](https://github.com/traefik/traefik/pull/8802) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Support InfluxDB v2 metrics backend ([#8250](https://github.com/traefik/traefik/pull/8250) by [sh7dm](https://github.com/sh7dm))
+- **[plugins]** Remove Pilot token setup constraint to use plugins ([#8869](https://github.com/traefik/traefik/pull/8869) by [ldez](https://github.com/ldez))
+- **[provider]** Refactor configuration reload/throttling ([#6633](https://github.com/traefik/traefik/pull/6633) by [rkojedzinszky](https://github.com/rkojedzinszky))
+- **[rules,tcp]** Add HostSNIRegexp rule matcher for TCP ([#8849](https://github.com/traefik/traefik/pull/8849) by [rtribotte](https://github.com/rtribotte))
+- **[tcp]** Add muxer for TCP Routers ([#8182](https://github.com/traefik/traefik/pull/8182) by [dtomcej](https://github.com/dtomcej))
+- **[webui,pilot]** Add Traefik Hub access and remove Pilot access ([#8848](https://github.com/traefik/traefik/pull/8848) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** Add a link to service on router detail view ([#8821](https://github.com/traefik/traefik/pull/8821) by [Tchoupinax](https://github.com/Tchoupinax))
+
+**Documentation:**
+-  Add a Feature Deprecation page ([#8868](https://github.com/traefik/traefik/pull/8868) by [ddtmachado](https://github.com/ddtmachado))
+
+**Misc:**
+- Merge current v2.6 into master ([#8877](https://github.com/traefik/traefik/pull/8877) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.6 into master ([#8865](https://github.com/traefik/traefik/pull/8865) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8832](https://github.com/traefik/traefik/pull/8832) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8793](https://github.com/traefik/traefik/pull/8793) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8777](https://github.com/traefik/traefik/pull/8777) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8757](https://github.com/traefik/traefik/pull/8757) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8754](https://github.com/traefik/traefik/pull/8754) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8736](https://github.com/traefik/traefik/pull/8736) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.6 into master ([#8689](https://github.com/traefik/traefik/pull/8689) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.6 into master ([#8666](https://github.com/traefik/traefik/pull/8666) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.6.2](https://github.com/traefik/traefik/tree/v2.6.2) (2022-03-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.1...v2.6.2)
+
+**Bug fixes:**
+- **[file]** Bump paerser to v0.1.5 ([#8850](https://github.com/traefik/traefik/pull/8850) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix certificates resolver typo ([#8859](https://github.com/traefik/traefik/pull/8859) by [NReilingh](https://github.com/NReilingh))
+- **[docker]** doc: fix, docker uses Label(), not Tag() ([#8823](https://github.com/traefik/traefik/pull/8823) by [mpl](https://github.com/mpl))
+- **[http3]** Fix CLI syntax in HTTP/3 documentation ([#8864](https://github.com/traefik/traefik/pull/8864) by [nstankov-bg](https://github.com/nstankov-bg))
+- **[kv]** Fix small typo in Redis provider documentation ([#8858](https://github.com/traefik/traefik/pull/8858) by [lczw](https://github.com/lczw))
+- **[marathon]** Fix brand typo ([#8788](https://github.com/traefik/traefik/pull/8788) by [0xflotus](https://github.com/0xflotus))
+- **[middleware]** Fix fenced code block typo in Buffering middleware page ([#8855](https://github.com/traefik/traefik/pull/8855) by [Wingysam](https://github.com/Wingysam))
+- **[rules]** Adjust rule length in routers documentation ([#8819](https://github.com/traefik/traefik/pull/8819) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Fix HostRegexp examples ([#8817](https://github.com/traefik/traefik/pull/8817) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,k8s/crd,k8s]** Add default certificate definition example for Kubernetes ([#8863](https://github.com/traefik/traefik/pull/8863) by [jwausle](https://github.com/jwausle))
+- **[tls,k8s]** Clarify TLS Option documentation ([#8756](https://github.com/traefik/traefik/pull/8756) by [mloiseleur](https://github.com/mloiseleur))
+- Clarify concepts documentation page ([#8836](https://github.com/traefik/traefik/pull/8836) by [NReilingh](https://github.com/NReilingh))
+- Spelling ([#8791](https://github.com/traefik/traefik/pull/8791) by [jsoref](https://github.com/jsoref))
+- Fix routing overview examples ([#8840](https://github.com/traefik/traefik/pull/8840) by [NReilingh](https://github.com/NReilingh))
+- Add a deprecation notices section ([#8829](https://github.com/traefik/traefik/pull/8829) by [ddtmachado](https://github.com/ddtmachado))
+
+## [v2.6.1](https://github.com/traefik/traefik/tree/v2.6.1) (2022-02-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0...v2.6.1)
+
+**Bug fixes:**
+- **[acme]** Add domain to HTTP challenge errors ([#8740](https://github.com/traefik/traefik/pull/8740) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix metrics bucket key high cardinality ([#8761](https://github.com/traefik/traefik/pull/8761) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,tls]** Use CNAME for SNI check on host header ([#8773](https://github.com/traefik/traefik/pull/8773) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Rename Datadog span tags ([#8323](https://github.com/traefik/traefik/pull/8323) by [luckielordie](https://github.com/luckielordie))
+- **[tls]** Apply the same approach as the rules system on the TLS configuration choice ([#8764](https://github.com/traefik/traefik/pull/8764) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Add Hurricane Electric to acme documentation ([#8746](https://github.com/traefik/traefik/pull/8746) by [vladshub](https://github.com/vladshub))
+- **[acme]** Clarify that ACME challenge is mandatory ([#8739](https://github.com/traefik/traefik/pull/8739) by [mpl](https://github.com/mpl))
+- **[http3]** Explain a bit more around enabling HTTP3 ([#8731](https://github.com/traefik/traefik/pull/8731) by [SantoDE](https://github.com/SantoDE))
+- **[metrics]** Fix mixups in metrics documentation ([#8752](https://github.com/traefik/traefik/pull/8752) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,k8s/crd]** Fix Kubernetes TCP examples ([#8759](https://github.com/traefik/traefik/pull/8759) by [sylr](https://github.com/sylr))
+
+## [v2.6.0](https://github.com/traefik/traefik/tree/v2.6.0) (2022-01-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc1...v2.6.0)
+
+**Enhancements:**
+- **[acme]** Allow configuration of ACME certificates duration ([#8046](https://github.com/traefik/traefik/pull/8046) by [pmontepagano](https://github.com/pmontepagano))
+- **[consul,consulcatalog]** Support consul enterprise namespaces in consul catalog provider ([#8592](https://github.com/traefik/traefik/pull/8592) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Update gateway api provider to v1alpha2 ([#8535](https://github.com/traefik/traefik/pull/8535) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support gateway api RouteNamespaces ([#8299](https://github.com/traefik/traefik/pull/8299) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s/crd]** Support Kubernetes basic-auth secrets ([#8189](https://github.com/traefik/traefik/pull/8189) by [dtomcej](https://github.com/dtomcej))
+- **[metrics]** Add configurable tags to influxdb metrics ([#8308](https://github.com/traefik/traefik/pull/8308) by [Tetha](https://github.com/Tetha))
+- **[metrics]** Add prefix to datadog metrics ([#8234](https://github.com/traefik/traefik/pull/8234) by [fredwangwang](https://github.com/fredwangwang))
+- **[middleware,tcp]** Add in flight connection middleware ([#8429](https://github.com/traefik/traefik/pull/8429) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Add Organizational Unit to passtlscert middleware ([#7958](https://github.com/traefik/traefik/pull/7958) by [FernFerret](https://github.com/FernFerret))
+- **[middleware]** Allow configuration of minimum body size for compress middleware ([#8239](https://github.com/traefik/traefik/pull/8239) by [lus](https://github.com/lus))
+- **[middleware]** Ceil Retry-After value in the rate-limit middleware ([#8581](https://github.com/traefik/traefik/pull/8581) by [pyaillet](https://github.com/pyaillet))
+- **[middleware]** Refactor Exponential Backoff ([#7519](https://github.com/traefik/traefik/pull/7519) by [danieladams456](https://github.com/danieladams456))
+- **[server,k8s/crd,k8s]** Allow configuration of HTTP/2 readIdleTimeout and pingTimeout ([#8539](https://github.com/traefik/traefik/pull/8539) by [tomMoulard](https://github.com/tomMoulard))
+- **[server]** Allow configuration of advertised port for HTTP/3 ([#8131](https://github.com/traefik/traefik/pull/8131) by [valerauko](https://github.com/valerauko))
+- **[tracing]** Upgrade Instana tracer and make process profiling configurable ([#8334](https://github.com/traefik/traefik/pull/8334) by [andriikushch](https://github.com/andriikushch))
+
+**Bug fixes:**
+- **[consul,kv]** Support Consul KV Enterprise namespaces ([#8692](https://github.com/traefik/traefik/pull/8692) by [kevinpollet](https://github.com/kevinpollet))
+- **[consul]** Support token authentication for Consul KV  ([#8712](https://github.com/traefik/traefik/pull/8712) by [kevinpollet](https://github.com/kevinpollet))
+- **[consulcatalog]** Configure Consul Catalog namespace at client level ([#8725](https://github.com/traefik/traefik/pull/8725) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Upgrade Instana tracer dependency ([#8687](https://github.com/traefik/traefik/pull/8687) by [andriikushch](https://github.com/andriikushch))
+- **[logs]** Redact credentials before logging ([#8699](https://github.com/traefik/traefik/pull/8699) by [ibrahimalihc](https://github.com/ibrahimalihc))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8720](https://github.com/traefik/traefik/pull/8720) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8717](https://github.com/traefik/traefik/pull/8717) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8714](https://github.com/traefik/traefik/pull/8714) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into v2.6 ([#8688](https://github.com/traefik/traefik/pull/8688) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8664](https://github.com/traefik/traefik/pull/8664) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8651](https://github.com/traefik/traefik/pull/8651) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8645](https://github.com/traefik/traefik/pull/8645) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8609](https://github.com/traefik/traefik/pull/8609) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8563](https://github.com/traefik/traefik/pull/8563) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8498](https://github.com/traefik/traefik/pull/8498) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8461](https://github.com/traefik/traefik/pull/8461) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8435](https://github.com/traefik/traefik/pull/8435) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.5 into master ([#8419](https://github.com/traefik/traefik/pull/8419) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8411](https://github.com/traefik/traefik/pull/8411) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8316](https://github.com/traefik/traefik/pull/8316) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8298](https://github.com/traefik/traefik/pull/8298) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8289](https://github.com/traefik/traefik/pull/8289) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8241](https://github.com/traefik/traefik/pull/8241) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.6.0-rc3](https://github.com/traefik/traefik/tree/v2.6.0-rc3) (2022-01-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0-rc2...v2.6.0-rc3)
+
+**Bug fixes:**
+- **[consul]** Support token authentication for Consul KV  ([#8712](https://github.com/traefik/traefik/pull/8712) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8717](https://github.com/traefik/traefik/pull/8717) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8714](https://github.com/traefik/traefik/pull/8714) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.5.7](https://github.com/traefik/traefik/tree/v2.5.7) (2022-01-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.6...v2.5.7)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.6.0 ([#8716](https://github.com/traefik/traefik/pull/8716) by [ldez](https://github.com/ldez))
+- **[logs]** Adjust log level from info to debug ([#8718](https://github.com/traefik/traefik/pull/8718) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Fix middleware plugins memory leak ([#8702](https://github.com/traefik/traefik/pull/8702) by [ldez](https://github.com/ldez))
+- **[server]** Mitigate memory leak ([#8706](https://github.com/traefik/traefik/pull/8706) by [mpl](https://github.com/mpl))
+- **[webui,middleware]** Fix middleware regexp&#39;s display ([#8697](https://github.com/traefik/traefik/pull/8697) by [tomMoulard](https://github.com/tomMoulard))
+
+**Documentation:**
+- **[http]** Fix HTTP provider endpoint config example  ([#8715](https://github.com/traefik/traefik/pull/8715) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s]** Remove typo in Kubernetes providers labelSelector examples ([#8676](https://github.com/traefik/traefik/pull/8676) by [colinwilson](https://github.com/colinwilson))
+- **[rules]** Improve regexp matcher documentation ([#8686](https://github.com/traefik/traefik/pull/8686) by [Hades32](https://github.com/Hades32))
+- **[tracing]** Fix broken jaeger documentation link ([#8665](https://github.com/traefik/traefik/pull/8665) by [tomMoulard](https://github.com/tomMoulard))
+- Update copyright for 2022 ([#8679](https://github.com/traefik/traefik/pull/8679) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.6.0-rc2](https://github.com/traefik/traefik/tree/v2.6.0-rc2) (2022-01-12)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0-rc1...v2.6.0-rc2)
+
+**Bug fixes:**
+- **[consul,kv]** Support Consul KV Enterprise namespaces ([#8692](https://github.com/traefik/traefik/pull/8692) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Upgrade Instana tracer dependency ([#8687](https://github.com/traefik/traefik/pull/8687) by [andriikushch](https://github.com/andriikushch))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8688](https://github.com/traefik/traefik/pull/8688) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8664](https://github.com/traefik/traefik/pull/8664) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8651](https://github.com/traefik/traefik/pull/8651) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.5.6](https://github.com/traefik/traefik/tree/v2.5.6) (2021-12-22)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.5...v2.5.6)
+
+**Bug fixes:**
+- **[middleware]** Process all X-Forwarded-For headers in the request ([#8596](https://github.com/traefik/traefik/pull/8596) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Update Yaegi to v0.11.2 ([#8650](https://github.com/traefik/traefik/pull/8650) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net dependency version ([#8635](https://github.com/traefik/traefik/pull/8635) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[api]** Add missing API endpoints documentation ([#8649](https://github.com/traefik/traefik/pull/8649) by [ichxxx](https://github.com/ichxxx))
+- **[middleware]** Fix passTLSClientCert CRD example name ([#8637](https://github.com/traefik/traefik/pull/8637) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Correct documentation in middleware overview ([#8636](https://github.com/traefik/traefik/pull/8636) by [Alestrix](https://github.com/Alestrix))
+
+## [v2.6.0-rc1](https://github.com/traefik/traefik/tree/v2.6.0-rc1) (2021-12-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc1...v2.6.0-rc1)
+
+**Enhancements:**
+- **[acme]** Allow configuration of ACME certificates duration ([#8046](https://github.com/traefik/traefik/pull/8046) by [pmontepagano](https://github.com/pmontepagano))
+- **[consul,consulcatalog]** Support consul enterprise namespaces in consul catalog provider ([#8592](https://github.com/traefik/traefik/pull/8592) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Update gateway api provider to v1alpha2 ([#8535](https://github.com/traefik/traefik/pull/8535) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support gateway api RouteNamespaces ([#8299](https://github.com/traefik/traefik/pull/8299) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s/crd]** Support Kubernetes basic-auth secrets ([#8189](https://github.com/traefik/traefik/pull/8189) by [dtomcej](https://github.com/dtomcej))
+- **[metrics]** Add configurable tags to influxdb metrics ([#8308](https://github.com/traefik/traefik/pull/8308) by [Tetha](https://github.com/Tetha))
+- **[metrics]** Add prefix to datadog metrics ([#8234](https://github.com/traefik/traefik/pull/8234) by [fredwangwang](https://github.com/fredwangwang))
+- **[middleware,tcp]** Add in flight connection middleware ([#8429](https://github.com/traefik/traefik/pull/8429) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Add Organizational Unit to passtlscert middleware ([#7958](https://github.com/traefik/traefik/pull/7958) by [FernFerret](https://github.com/FernFerret))
+- **[middleware]** Allow configuration of minimum body size for compress middleware ([#8239](https://github.com/traefik/traefik/pull/8239) by [lus](https://github.com/lus))
+- **[middleware]** Ceil Retry-After value in the rate-limit middleware ([#8581](https://github.com/traefik/traefik/pull/8581) by [pyaillet](https://github.com/pyaillet))
+- **[middleware]** Refactor Exponential Backoff ([#7519](https://github.com/traefik/traefik/pull/7519) by [danieladams456](https://github.com/danieladams456))
+- **[server,k8s/crd,k8s]** Allow configuration of HTTP/2 readIdleTimeout and pingTimeout ([#8539](https://github.com/traefik/traefik/pull/8539) by [tomMoulard](https://github.com/tomMoulard))
+- **[server]** Allow configuration of advertised port for HTTP/3 ([#8131](https://github.com/traefik/traefik/pull/8131) by [valerauko](https://github.com/valerauko))
+- **[tracing]** Upgrade Instana tracer and make process profiling configurable ([#8334](https://github.com/traefik/traefik/pull/8334) by [andriikushch](https://github.com/andriikushch))
+
+**Misc:**
+- Merge current v2.5 into master ([#8609](https://github.com/traefik/traefik/pull/8609) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8563](https://github.com/traefik/traefik/pull/8563) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8498](https://github.com/traefik/traefik/pull/8498) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8461](https://github.com/traefik/traefik/pull/8461) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8435](https://github.com/traefik/traefik/pull/8435) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.5 into master ([#8419](https://github.com/traefik/traefik/pull/8419) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8411](https://github.com/traefik/traefik/pull/8411) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8316](https://github.com/traefik/traefik/pull/8316) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8298](https://github.com/traefik/traefik/pull/8298) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8289](https://github.com/traefik/traefik/pull/8289) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8241](https://github.com/traefik/traefik/pull/8241) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.5.5](https://github.com/traefik/traefik/tree/v2.5.5) (2021-12-09)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.4...v2.5.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.5.3 ([#8607](https://github.com/traefik/traefik/pull/8607) by [lippertmarkus](https://github.com/lippertmarkus))
+- **[k8s/crd,k8s]** fix: propagate source criterion config to RateLimit middleware in Kubernetes CRD ([#8591](https://github.com/traefik/traefik/pull/8591) by [rbailly-talend](https://github.com/rbailly-talend))
+- **[plugins]** plugins: start the go routine before calling Provide ([#8620](https://github.com/traefik/traefik/pull/8620) by [ldez](https://github.com/ldez))
+- **[plugins]** Update yaegi to v0.11.1 ([#8600](https://github.com/traefik/traefik/pull/8600) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Update yaegi v0.11.0 ([#8564](https://github.com/traefik/traefik/pull/8564) by [ldez](https://github.com/ldez))
+- **[udp]** fix: increase UDP read buffer length to max datagram size ([#8560](https://github.com/traefik/traefik/pull/8560) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[consul]** docs: removing typo in consul-catalog provider doc ([#8603](https://github.com/traefik/traefik/pull/8603) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** docs: remove misleading metrics overview configuration ([#8579](https://github.com/traefik/traefik/pull/8579) by [gsilvapt](https://github.com/gsilvapt))
+- **[middleware]** docs: align docker configuration example notes in basicauth HTTP middleware ([#8615](https://github.com/traefik/traefik/pull/8615) by [tomMoulard](https://github.com/tomMoulard))
+- **[service]** docs: health check use readiness probe in k8s ([#8575](https://github.com/traefik/traefik/pull/8575) by [Vampouille](https://github.com/Vampouille))
+- **[tls]** docs: uniformize client TLS config documentation ([#8602](https://github.com/traefik/traefik/pull/8602) by [kevinpollet](https://github.com/kevinpollet))
+- Update CODE_OF_CONDUCT.md ([#8619](https://github.com/traefik/traefik/pull/8619) by [tfny](https://github.com/tfny))
+- fixed minor spelling error in Regexp Syntax section ([#8565](https://github.com/traefik/traefik/pull/8565) by [kerrsmith](https://github.com/kerrsmith))
+
 ## [v2.5.4](https://github.com/traefik/traefik/tree/v2.5.4) (2021-11-08)
 [All Commits](https://github.com/traefik/traefik/compare/v2.5.3...v2.5.4)

@@ -1614,7 +1854,7 @@ Same changelog as v2.0.3.
 - fix: remove extra backtick from routers docs ([#5572](https://github.com/traefik/traefik/pull/5572) by [serpi90](https://github.com/serpi90))
 - document providersThrottleDuration ([#5519](https://github.com/traefik/traefik/pull/5519) by [mpl](https://github.com/mpl))
 - Add a response forwarding section to the service documentation  ([#5517](https://github.com/traefik/traefik/pull/5517) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Change instances of &#34;dymanic&#34; to &#34;dynamic&#34; ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
+- Change instances of &#34;dynamic&#34; to &#34;dynamic&#34; ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
 - Add the pass host header section to the services documentation ([#5500](https://github.com/traefik/traefik/pull/5500) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - fix misspelling on documentation landing page ([#5613](https://github.com/traefik/traefik/pull/5613) by [cthompson527](https://github.com/cthompson527))

@@ -2606,7 +2846,7 @@ Same changelog as v2.0.3.
 - **[healthcheck]** Query params in health check ([#4188](https://github.com/traefik/traefik/pull/4188) by [mmatur](https://github.com/mmatur))
 - **[metrics]** Upgraded DD APM library ([#4189](https://github.com/traefik/traefik/pull/4189) by [aantono](https://github.com/aantono))
 - **[middleware]** Fix ssl force host secure middleware ([#4138](https://github.com/traefik/traefik/pull/4138) by [mmatur](https://github.com/mmatur))
- **[oxy]** Fix unannonced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
+- **[oxy]** Fix unannounced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
 - **[provider,server]** Log configuration errors from providers and keeps listening ([#4230](https://github.com/traefik/traefik/pull/4230) by [geraldcroes](https://github.com/geraldcroes))
 - **[tls]** Implement Case-insensitive SNI matching ([#4132](https://github.com/traefik/traefik/pull/4132) by [dtomcej](https://github.com/dtomcej))
 - Use ParseInt instead of Atoi for parsing durations ([#4263](https://github.com/traefik/traefik/pull/4263) by [mmatur](https://github.com/mmatur))
@@ -3750,7 +3990,7 @@ Same changelog as v2.0.3.
 - **[etcd]** Fix typo in examples ([#2446](https://github.com/traefik/traefik/pull/2446) by [dahefanteng](https://github.com/dahefanteng))
 - **[k8s]** Add note to Kubernetes RBAC docs about RoleBindings and namespaces ([#2498](https://github.com/traefik/traefik/pull/2498) by [jmara](https://github.com/jmara))
 - **[k8s]** k8s guide: Leave note about assumed DaemonSet usage. ([#2634](https://github.com/traefik/traefik/pull/2634) by [timoreimann](https://github.com/timoreimann))
- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Remove obsolete links in k8s docs ([#2465](https://github.com/traefik/traefik/pull/2465) by [marco-jantke](https://github.com/marco-jantke))
 - **[k8s]** Document filename parameter for Kubernetes. ([#2464](https://github.com/traefik/traefik/pull/2464) by [timoreimann](https://github.com/timoreimann))
@@ -3817,7 +4057,7 @@ Same changelog as v2.0.3.

 **Documentation:**
 - **[cluster]** Add a clustering example with Docker Swarm ([#2589](https://github.com/traefik/traefik/pull/2589) by [jmaitrehenry](https://github.com/jmaitrehenry))
- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[provider,webui]** Fix redirect problem on dashboard + docs/tests on [web] ([#2686](https://github.com/traefik/traefik/pull/2686) by [Juliens](https://github.com/Juliens))

@@ -4527,7 +4767,7 @@ Same changelog as v2.0.3.
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.7...v1.3.8)

 **Bug fixes:**
- **[middleware]** Compress and Webscocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))
+- **[middleware]** Compress and Websocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))

 ## [v1.3.7](https://github.com/traefik/traefik/tree/v1.3.7) (2017-08-25)
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.6...v1.3.7)
@@ -4710,7 +4950,7 @@ Same changelog as v2.0.3.

 **Documentation:**
 - [#1578](https://github.com/traefik/traefik/issues/1578) Add Marathon guide. ([Stibbons](https://github.com/Stibbons))
- [#1602](https://github.com/traefik/traefik/issues/1602) Re Orginise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
+- [#1602](https://github.com/traefik/traefik/issues/1602) Re Organise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
 - [#1642](https://github.com/traefik/traefik/issues/1642) Update changelog ([ldez](https://github.com/ldez))

 ## [v1.3.0-rc2](https://github.com/traefik/traefik/tree/v1.3.0-rc2) (2017-05-16)
@@ -4863,7 +5103,7 @@ Same changelog as v2.0.3.
 - Bump go-rancher version [\#1219](https://github.com/traefik/traefik/pull/1219) ([SantoDE](https://github.com/SantoDE))
 - Chunk taskArns into groups of 100 [\#1209](https://github.com/traefik/traefik/pull/1209) ([owen](https://github.com/owen))
 - Prepare release v1.2.0 rc2 [\#1204](https://github.com/traefik/traefik/pull/1204) ([emilevauge](https://github.com/emilevauge))
- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -4889,7 +5129,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -4945,7 +5185,7 @@ Same changelog as v2.0.3.
 - Bind to specific ip address [\#1193](https://github.com/traefik/traefik/issues/1193)
 - DNS01 challenge use the wrong zone through route53 [\#1192](https://github.com/traefik/traefik/issues/1192)
 - Reverse proxy https to http backends fails [\#1180](https://github.com/traefik/traefik/issues/1180)
- Swarm Mode + Letsecrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
+- Swarm Mode + Letsencrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
 - docker deploy -c example.yml    e [\#1169](https://github.com/traefik/traefik/issues/1169)
 - Traefik not finding dynamically added services \(Docker Swarm Mode\) [\#1168](https://github.com/traefik/traefik/issues/1168)
 - Traefik with Kubernetes backend - keep getting 401 on all GET requests to kube-apiserver [\#1166](https://github.com/traefik/traefik/issues/1166)
@@ -4963,7 +5203,7 @@ Same changelog as v2.0.3.

 **Merged pull requests:**

- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -5034,7 +5274,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -5213,7 +5453,7 @@ Same changelog as v2.0.3.
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
 - Sensible configuration for consulCatalog [\#737](https://github.com/traefik/traefik/issues/737)
 - Traefik ignoring container listening in more than one TCP port [\#734](https://github.com/traefik/traefik/issues/734)
- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - Error when using HA acme in kubernetes with etcd [\#725](https://github.com/traefik/traefik/issues/725)
 - \[Docker swarm mode\] No round robin when using service [\#718](https://github.com/traefik/traefik/issues/718)
@@ -5252,7 +5492,7 @@ Same changelog as v2.0.3.
 - Update docs with new Mesos provider [\#548](https://github.com/traefik/traefik/issues/548)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
 - docker run syntax in swarm example has changed [\#528](https://github.com/traefik/traefik/issues/528)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Secure WebSockets [\#467](https://github.com/traefik/traefik/issues/467)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)
@@ -5310,7 +5550,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5399,7 +5639,7 @@ Same changelog as v2.0.3.
 - dependencies installation error [\#755](https://github.com/traefik/traefik/issues/755)
 - k8s provider w/ acme? [\#752](https://github.com/traefik/traefik/issues/752)
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - How Routing traffic depending on path not domain in docker [\#706](https://github.com/traefik/traefik/issues/706)
 - Traefik crashes when using Consul catalog [\#699](https://github.com/traefik/traefik/issues/699)
@@ -5508,7 +5748,7 @@ Same changelog as v2.0.3.
 - Traefik stuck when used as frontend for a streaming API [\#560](https://github.com/traefik/traefik/issues/560)
 - Exclude some frontends in consul catalog [\#555](https://github.com/traefik/traefik/issues/555)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)

@@ -5533,7 +5773,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5609,7 +5849,7 @@ Same changelog as v2.0.3.
 **Closed issues:**

 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)

 **Merged pull requests:**
@@ -5709,7 +5949,7 @@ Same changelog as v2.0.3.
 - Traefik doesn't listen on IPv4 ports [\#434](https://github.com/traefik/traefik/issues/434)
 - Not listening on port 80 [\#432](https://github.com/traefik/traefik/issues/432)
 - docs need updating for new frontend rules format [\#423](https://github.com/traefik/traefik/issues/423)
- Does traefik supports for Mac? \(For devlelopment\)  [\#417](https://github.com/traefik/traefik/issues/417)
+- Does traefik supports for Mac? \(For development\)  [\#417](https://github.com/traefik/traefik/issues/417)

 **Merged pull requests:**

--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -2,7 +2,7 @@

 ## Our Pledge

-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## Our Standards

@@ -30,15 +30,19 @@ Project maintainers have the right and responsibility to remove, edit, or reject

 ## Scope

-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community. 
+
 Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
 Representation of a project may be further defined and clarified by project maintainers.

 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
+
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
+
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+
 Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/101
+++ b/101
@@ -7,15 +7,13 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-BIND_DIR := dist
-
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))

 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")

-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)

 TRAEFIK_ENVS := \
@@ -29,21 +27,20 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.

-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)

-PRE_TARGET ?= build-dev-image
-
-PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+IN_DOCKER ?= true

 default: binary

 ## Build Dev Docker image
 build-dev-image: dist
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
+	$(if $(IN_DOCKER),docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .,)

 ## Build Dev Docker image without cache
 build-dev-image-no-cache: dist
@@ -51,25 +48,33 @@ build-dev-image-no-cache: dist

 ## Create the "dist" directory
 dist:
-	mkdir dist
+	mkdir -p dist

 ## Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
+	docker build -t traefik-webui -f webui/Dockerfile webui
+
+## Clean WebUI static generated assets
+clean-webui:
+	rm -r webui/static
+	mkdir -p webui/static
+	echo 'For more information show `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

 ## Generate WebUI
-generate-webui:
-	if [ ! -d "static" ]; then \
-		$(MAKE) build-webui-image; \
-		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
-	fi
+webui/static/index.html:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui yarn build:nc
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static

-## Build the linux binary
-binary: generate-webui $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+generate-webui: webui/static/index.html
+
+## Build the binary
+binary: generate-webui build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+
+## Build the linux binary locally
+binary-debug: generate-webui
+	GOOS=linux ./script/make.sh binary

 ## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
@@ -82,48 +87,48 @@ crossbinary-default-parallel:

 ## Run the unit and integration tests
 test: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration

 ## Run the unit tests
-test-unit: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
+test-unit: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
+
+## Run the integration tests
+test-integration: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration

 ## Pull all images for integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull

-## Run the integration tests
-test-integration: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
-
-## Run the container integration tests
-test-integration-container: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-
-## Run the host integration tests
-test-integration-host: $(PRE_TARGET) binary
-	TEST_HOST=1 ./script/make.sh test-integration
-
 ## Validate code and docs
-validate-files: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+validate-files: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Validate code, docs, and vendor
-validate: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+validate: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Clean up static directory and build a Docker Traefik image
-build-image: binary
-	rm -rf static
+build-image: clean-webui binary
 	docker build -t $(TRAEFIK_IMAGE) .

 ## Build a Docker Traefik image
 build-image-dirty: binary
 	docker build -t $(TRAEFIK_IMAGE) .

+## Locally build traefik for linux, then shove it an alpine image, with basic tools.
+build-image-debug: binary-debug
+	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
+
 ## Start a shell inside the build env
 shell: build-dev-image
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
@@ -149,17 +154,17 @@ generate-genconf:
 	go run ./cmd/internal/gen/

 ## Create packages for the release
-release-packages: generate-webui $(PRE_TARGET)
+release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/

 ## Format the Code
 fmt:
--- a/README.md
+++ b/README.md
@@ -88,8 +88,6 @@ You can access the simple HTML frontend of Traefik.

 You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
-
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

 ## Support
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,7 +1,6 @@
 FROM golang:1.17-alpine

-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
    && update-ca-certificates \
    && rm -rf /var/cache/apk/*

@@ -13,19 +12,14 @@ RUN mkdir -p /usr/local/bin \
    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

-# Download go-bindata binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
-    && chmod +x /usr/local/bin/go-bindata
-
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.43.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.45.0

 # Download misspell binary to bin folder in $GOPATH
-RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

 # Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh

 WORKDIR /go/src/github.com/traefik/traefik

--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -27,10 +27,10 @@ func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]p
 	var client *plugins.Client
 	plgs := map[string]plugins.Descriptor{}

-	if isPilotEnabled(staticCfg) && hasPlugins(staticCfg) {
+	if hasPlugins(staticCfg) {
 		opts := plugins.ClientOptions{
 			Output: outputDir,
-			Token:  staticCfg.Pilot.Token,
+			Token:  getPilotToken(staticCfg),
 		}

 		var err error
@@ -79,6 +79,14 @@ func isPilotEnabled(staticCfg *static.Configuration) bool {
 	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
 }

+func getPilotToken(staticCfg *static.Configuration) string {
+	if staticCfg.Pilot == nil {
+		return ""
+	}
+
+	return staticCfg.Pilot.Token
+}
+
 func hasPlugins(staticCfg *static.Configuration) bool {
 	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
 }
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -16,12 +16,10 @@ import (
 	"time"

 	"github.com/coreos/go-systemd/daemon"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/autogen/genstatic"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
 	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
@@ -109,10 +107,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
 	}

-	if staticConfiguration.API != nil && staticConfiguration.API.Dashboard {
-		staticConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
-	}
-
 	if staticConfiguration.Global.CheckNewVersion {
 		checkNewVersion()
 	}
@@ -186,8 +180,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	tlsManager := traefiktls.NewManager()
 	httpChallengeProvider := acme.NewChallengeHTTP()

-	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
-	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
+	tlsChallengeProvider := acme.NewChallengeTLSALPN()
 	err = providerAggregator.AddProvider(tlsChallengeProvider)
 	if err != nil {
 		return nil, err
@@ -197,7 +190,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Entrypoints

-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}
@@ -222,6 +215,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	}

 	if staticConfiguration.Pilot != nil {
+		log.WithoutContext().Warn("Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year")
+
 		version.PilotEnabled = staticConfiguration.Pilot.Dashboard
 	}

@@ -246,6 +241,19 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}

+	// Traefik Hub
+
+	if staticConfiguration.Hub != nil {
+		if err = providerAggregator.AddProvider(staticConfiguration.Hub); err != nil {
+			return nil, fmt.Errorf("adding Traefik Hub provider: %w", err)
+		}
+
+		// API is mandatory for Traefik Hub to access the dynamic configuration.
+		if staticConfiguration.API == nil {
+			staticConfiguration.API = &static.API{}
+		}
+	}
+
 	// Metrics

 	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
@@ -271,7 +279,6 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	watcher := server.NewConfigurationWatcher(
 		routinesPool,
 		providerAggregator,
-		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
 		getDefaultsEntrypoints(staticConfiguration),
 		"internal",
 	)
@@ -329,7 +336,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				continue
 			}

-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok &&
+				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
+				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
+				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
 				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
@@ -352,6 +362,11 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
 	for name, cfg := range staticConfiguration.EntryPoints {
+		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		if staticConfiguration.Hub != nil && staticConfiguration.Hub.EntryPoint == name {
+			continue
+		}
+
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
@@ -456,6 +471,16 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}

+	if metricsConfig.InfluxDB2 != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		if influxDB2Register != nil {
+			registries = append(registries, influxDB2Register)
+			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+		}
+	}
+
 	return registries
 }

--- a/debug.Dockerfile
+++ b/debug.Dockerfile
@@ -0,0 +1,10 @@
+FROM alpine:3.14
+# Feel free to add below any helpful dependency for debugging.
+# iproute2 is for ss.
+RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY dist/traefik /
+EXPOSE 80
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -45,7 +45,7 @@ $ ls dist/
 traefik*
 ```

-The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):

 - `test-unit`
 - `test-integration`
@@ -55,7 +55,7 @@ The following targets can be executed outside Docker by setting the variable `PR
 ex:

 ```bash
-PRE_TARGET= make test-unit
+IN_DOCKER= make test-unit
 ```

 ### Method 2: Using `go`
@@ -64,7 +64,6 @@ Requirements:

 - `go` v1.16+
 - environment variable `GO111MODULE=on`
- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

 !!! tip "Source Directory"

@@ -101,18 +100,9 @@ Requirements:

 Once you've set up your go environment and cloned the source repository, you can build Traefik.

-Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
-
-```bash
-cd ~/go/src/github.com/traefik/traefik
-
-# Get go-bindata. (Important: the ellipses are required.)
-GO111MODULE=off go get github.com/containous/go-bindata/...
-```
-
 ```bash
 # Generate UI static files
-rm -rf static/ autogen/; make generate-webui
+make clean-webui generate-webui

 # required to merge non-code components into the final binary,
 # such as the web dashboard/UI
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -0,0 +1,20 @@
+# Feature Deprecation Notices
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
+
+| Feature                                               | Deprecated | End of Support | Removal |
+|-------------------------------------------------------|------------|----------------|---------|
+| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics) | 2.7        | 2.8            | 2.9     |
+| [Pilot Plugins](#pilot-plugins)                       | 2.7        | 2.8            | 2.9     |
+
+## Impact
+
+### Pilot Dashboard (Metrics)
+
+Metrics will continue to function normally up to 2.8, when they will be disabled.  
+In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
+
+### Pilot Plugins 
+
+Starting on 2.7 the pilot token will not be a requirement anymore.  
+At 2.9, a new plugin catalog home should be available, decoupled from pilot.
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -0,0 +1,37 @@
+# Releases
+
+## Versions
+
+Below is a non-exhaustive list of versions and their maintenance status:
+
+| Version | Release Date | Active Support     | Security Support | 
+|---------|--------------|--------------------|------------------|
+| 2.6     | Jan 24, 2022 |      Yes           |       Yes        |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |       No         |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |       No         |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |       No         |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |       No         |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |       No         |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |       No         |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |  Contact Support |
+
+??? example "Active Support / Security Support"
+
+    **Active support**: receives any bug fixes.
+    **Security support**: receives only critical bug and security fixes.
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
+
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+
+!!! important "All target dates for end of support or feature removal announcements may be subject to change."
+
+## Versioning Scheme
+
+The Traefik Proxy project follows the [semantic versioning](https://semver.org/) scheme and maintains a separate branch for each minor version. The main branch always represents the next upcoming minor or major version.
+
+And these are our guiding rules for version support:
+
+- **Only the latest `minor`** will be on active support at any given time
+- **The last `minor` after releasing a new `major`** will be supported for 1 year following the `major` release
+- **Previous rules are subject to change** and in such cases an announcement will be made publicly, [here](https://traefik.io/blog/traefik-2-1-in-the-wild/) is an example extending v1.x branch support.
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -19,7 +19,7 @@ Deploying your services, you attach information that tells Traefik the character
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)

 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
+Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.

 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -51,7 +51,7 @@ Once positioned, this option sets (and resets) all the default values of the sub

 ### Configuration File

-At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:

 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -74,7 +74,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:2.1 --help
+# ex: docker run traefik:v2.7 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -11,12 +11,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.6/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.6/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.5
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.7
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -24,7 +24,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.5`
+    ex: `traefik:v2.7`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -15,7 +15,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.5
+    image: traefik:v2.7
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -23,7 +23,9 @@ Certificates are requested for domain names retrieved from the router's [dynamic

 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? note "Configuration Reference"

@@ -114,7 +116,7 @@ Please check the [configuration examples below](#configuration-examples) for mor
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? example "Single Domain from Router's Rule Example"

@@ -140,7 +142,11 @@ Please check the [configuration examples below](#configuration-examples) for mor

 Traefik automatically tracks the expiry date of ACME certificates it generates.

-If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
+By default, Traefik manages 90 days certificates,
+and starts to renew certificates 30 days before their expiry.
+
+When using a certificate resolver that issues certificates with custom durations,
+one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.

 !!! info ""
    Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@@ -154,7 +160,9 @@ When using LetsEncrypt with kubernetes, there are some known caveats with both t

 ## The Different ACME Challenges

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ### `tlsChallenge`

@@ -325,6 +333,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | [Hosttech](https://www.hosttech.eu)                         | `hosttech`     | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)     |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
+| [Hurricane Electric](https://dns.he.net)                    | `hurricane`    | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)    |
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)         | `ibmcloud`     | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
@@ -367,7 +376,9 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Simply.com](https://www.simply.com/en/domains/)            | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
 | [Sonic](https://www.sonic.com/)                             | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)  | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
+| [UKFast SafeDNS](https://www.ukfast.co.uk/dns-hosting.html) | `safedns`      | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [VinylDNS](https://www.vinyldns.io)                         | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
@@ -381,11 +392,12 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |

-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
+[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
+[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

 !!! info "`delayBeforeCheck`"
    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
@@ -533,6 +545,50 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 !!! warning
    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

+### `certificatesDuration`
+
+_Optional, Default=2160_
+
+The `certificatesDuration` option defines the certificates' duration in hours.
+It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
+
+!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      certificatesDuration: 72
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  certificatesDuration=72
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.certificatesduration=72
+# ...
+```
+
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 ### `preferredChain`

 _Optional, Default=""_
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -22,6 +22,14 @@
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

+  # The certificates' duration in hours.
+  # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+  #
+  # Optional
+  # Default: 2160
+  #
+  # certificatesDuration=2160
+
  # Preferred chain to use.
  #
  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -21,6 +21,14 @@
 #
 --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

+# The certificates' duration in hours.
+# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+#
+# Optional
+# Default: 2160
+#
+--certificatesresolvers.myresolver.acme.certificatesDuration=2160
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -24,6 +24,14 @@ certificatesResolvers:
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

+      # The certificates' duration in hours.
+      # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+      #
+      # Optional
+      # Default: 2160
+      #
+      # certificatesDuration: 2160
+
      # Preferred chain to use.
      #
      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -128,6 +128,30 @@ tls:
      keyFile  = "path/to/cert.key"
 ```

+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultCertificate:
+    secretName: default-certificate
+    
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-certificate
+  namespace: default
+  
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.

 ## TLS Options
@@ -143,11 +167,11 @@ The TLS options allow one to configure some parameters of the TLS connection.
    you must specify the provider namespace, for example:  
    `traefik.http.routers.myrouter.tls.options=myoptions@file`

-!!! important "TLSOptions in Kubernetes"
+!!! important "TLSOption in Kubernetes"

-    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
-    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
    you'll have to add an annotation to the Ingress in the following form:
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -88,12 +88,21 @@ The `users` option is an array of authorized users. Each user must be declared u
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

+!!! note "Kubernetes kubernetes.io/basic-auth secret type"
+    
+    Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
+    This secret must contain two keys: `username` and `password`.
+    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
+    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
+
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
@@ -118,11 +127,24 @@ kind: Secret
 metadata:
  name: authsecret
  namespace: default
-
 data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+
+---
+# This is an alternate auth secret that demonstrates the basic-auth secret type.
+# Note: the password is not hashed, and is merely base64 encoded.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret2
+  namespace: default
+type: kubernetes.io/basic-auth
+data:
+  username: dXNlcg== # username: user
+  password: cGFzc3dvcmQ= # password: password
 ```

 ```yaml tab="Consul Catalog"
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -167,7 +167,7 @@ http:

 The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).

-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
+If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413` (Request Entity Too Large) response instead.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -60,7 +60,7 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than `1400` bytes.
+    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

@@ -122,3 +122,55 @@ http:
  [http.middlewares.test-compress.compress]
    excludedContentTypes = ["text/event-stream"]
 ```
+
+### `minResponseBodyBytes`
+
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+
+The default value is `1024`, which should be a reasonable value for most cases.
+
+Responses smaller than the specified values will not be compressed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    minResponseBodyBytes: 1200
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        minResponseBodyBytes: 1200
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    minResponseBodyBytes = 1200
+```
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -349,12 +349,16 @@ http:

 ### `tls`

-The `tls` option is the TLS configuration from Traefik to the authentication server.
+_Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the authentication server.

-Certificate Authority used for the secured connection to the authentication server,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secured connection to the authentication server,
+it defaults to the system bundle.

 ```yaml tab="Docker"
 labels:
@@ -417,13 +421,15 @@ http:
      ca = "path/to/local.crt"
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -479,9 +485,12 @@ http:
      caOptional = true
 ```

-#### `tls.cert`
+#### `cert`

-The public certificate used for the secure connection to the authentication server.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the authentication server.
+When using this option, setting the `key` option is required.

 ```yaml tab="Docker"
 labels:
@@ -554,9 +563,12 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.key`
+#### `key`

-The private certificate used for the secure connection to the authentication server.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the authentication server.
+When using this option, setting the `cert` option is required.

 ```yaml tab="Docker"
 labels:
@@ -629,7 +641,9 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -84,7 +84,7 @@ labels:
 # As TOML Configuration File
 [http.routers]
  [http.routers.router1]
-    service = "myService"
+    service = "service1"
    middlewares = ["foo-add-prefix"]
    rule = "Host(`example.com`)"

@@ -105,7 +105,7 @@ labels:
 http:
  routers:
    router1:
-      service: myService
+      service: service1
      middlewares:
        - "foo-add-prefix"
      rule: "Host(`example.com`)"
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: addprefix
+  name: test-passtlsclientcert
 spec:
  passTLSClientCert:
    pem: true
@@ -76,6 +76,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -104,6 +105,7 @@ http:
            province: true
            locality: true
            organization: true
+            organizationalUnit: true
            commonName: true
            serialNumber: true
            domainComponent: true
@@ -127,6 +129,7 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -148,6 +151,7 @@ http:
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
@@ -171,6 +175,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -197,6 +202,7 @@ http:
                province: true
                locality: true
                organization: true
+                organizationalUnit: true
                commonName: true
                serialNumber: true
                domainComponent: true
@@ -223,6 +229,7 @@ http:
            province = true
            locality = true
            organization = true
+            organizationalUnit = true
            commonName = true
            serialNumber = true
            domainComponent = true
@@ -247,7 +254,7 @@ PassTLSClientCert can add two headers to the request:

 !!! info

-    * The headers are filled with escaped string so it can be safely placed inside a URL query.
+    * Each header value is a string that has been escaped in order to be a valid URL query.
    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

@@ -412,15 +419,18 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"

    The header size limit of web servers is commonly between 4kb and 8kb.
-    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
+    If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option,
+    one can alleviate the problem by selecting only the interesting parts of the cert,
+    through the use of the `info` options described below. (And by setting `pem` to false).

 ### `info`

 The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

 The value of the header is an escaped concatenation of all the selected certificate details.
+But in the following, unless specified otherwise, all the header values examples are shown unescaped, for readability.

-The following example shows an unescaped result that uses all the available fields:
+The following example shows such a concatenation, when all the available fields are selected:

 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -441,7 +451,7 @@ The data is taken from the following certificate part:
        Not After : Dec  5 11:10:16 2020 GMT
 ```

-The escaped `notAfter` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NA="1607166616"
@@ -458,7 +468,7 @@ Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escaped `notBefore` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NB="1544094616"
@@ -475,7 +485,7 @@ The data is taken from the following certificate part:
    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```

-The escape SANs info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -501,7 +511,7 @@ Set the `info.subject.country` option to `true` to add the `country` information

 The data is taken from the subject part with the `C` key.

-The escape country info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -513,7 +523,7 @@ Set the `info.subject.province` option to `true` to add the `province` informati

 The data is taken from the subject part with the `ST` key.

-The escape province info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -525,7 +535,7 @@ Set the `info.subject.locality` option to `true` to add the `locality` informati

 The data is taken from the subject part with the `L` key.

-The escape locality info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -537,19 +547,31 @@ Set the `info.subject.organization` option to `true` to add the `organization` i

 The data is taken from the subject part with the `O` key.

-The escape organization info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
 ```

+##### `info.subject.organizationalUnit`
+
+Set the `info.subject.organizationalUnit` option to `true` to add the `organizationalUnit` information into the subject.
+
+The data is taken from the subject part with the `OU` key.
+
+And it is formatted as follows in the header:
+
+```text
+OU=Cheese Section,OU=Cheese Section 2
+```
+
 ##### `info.subject.commonName`

 Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.

 The data is taken from the subject part with the `CN` key.

-The escape common name info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=*.example.com
@@ -561,7 +583,7 @@ Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` i

 The data is taken from the subject part with the `SN` key.

-The escape serial number info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -573,7 +595,7 @@ Set the `info.subject.domainComponent` option to `true` to add the `domainCompon

 The data is taken from the subject part with the `DC` key.

-The escape domain component info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
@@ -595,7 +617,7 @@ Set the `info.issuer.country` option to `true` to add the `country` information

 The data is taken from the issuer part with the `C` key.

-The escape country info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -607,7 +629,7 @@ Set the `info.issuer.province` option to `true` to add the `province` informatio

 The data is taken from the issuer part with the `ST` key.

-The escape province info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Signing State,ST=Signing State 2
@@ -619,7 +641,7 @@ Set the `info.issuer.locality` option to `true` to add the `locality` informatio

 The data is taken from the issuer part with the `L` key.

-The escape locality info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -631,7 +653,7 @@ Set the `info.issuer.organization` option to `true` to add the `organization` in

 The data is taken from the issuer part with the `O` key.

-The escape organization info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
@@ -643,7 +665,7 @@ Set the `info.issuer.commonName` option to `true` to add the `commonName` inform

 The data is taken from the issuer part with the `CN` key.

-The escape common name info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=Simple Signing CA 2
@@ -655,7 +677,7 @@ Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` in

 The data is taken from the issuer part with the `SN` key.

-The escape serial number info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -667,7 +689,7 @@ Set the `info.issuer.domainComponent` option to `true` to add the `domainCompone

 The data is taken from the issuer part with the `DC` key.

-The escape domain component info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ b/docs/content/middlewares/tcp/inflightconn.md
@@ -0,0 +1,63 @@
+# InFlightConn
+
+Limiting the Number of Simultaneous connections.
+{: .subtitle }
+
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous connections by IP can be limited.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: test-inflightconn
+spec:
+  inFlightConn:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections.
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections.
+tcp:
+  middlewares:
+    test-inflightconn:
+      inFlightConn:
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[tcp.middlewares]
+  [tcp.middlewares.test-inflightconn.inFlightConn]
+    amount = 10
+```
+
+## Configuration Options
+
+### `amount`
+
+The `amount` option defines the maximum amount of allowed simultaneous connections.
+The middleware closes the connection if there are already `amount` connections opened.
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -36,7 +36,7 @@ spec:

 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
+kind: MiddlewareTCP
 metadata:
  name: foo-ip-whitelist
 spec:
@@ -47,7 +47,7 @@ spec:

 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+kind: IngressRouteTCP
 metadata:
  name: ingressroute
 spec:
@@ -131,4 +131,5 @@ tcp:

 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
+| [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.6/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
@@ -275,7 +275,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.7/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -423,3 +423,39 @@ the legacy behavior related to the CommonName field can not be enabled at all an
 In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
 the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
 Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.
+
+## v2.5 to v2.6
+
+### HTTP/3
+
+Traefik v2.6 introduces the `AdvertisedPort` option,
+which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
+By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
+To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
+
+### Kubernetes Gateway API Provider
+
+In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) of the specification and 
+[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
+Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+
+## v2.6.0 to v2.6.1
+
+### Metrics
+
+In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
+In consequence, for metrics having the method label,
+if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
+
+### Tracing
+
+In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.
+
+## v2.7
+
+### Traefik Pilot
+
+In `v2.7`, the `pilot.token` and `pilot.dashboard` options are deprecated.
+Please check the [feature deprecation page](../deprecation/features.md) and our Blog for migration instructions later this year.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -247,7 +247,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.5
+    image: traefik:v2.7
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -118,10 +118,31 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.datadog]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
 --metrics.datadog.pushInterval=10s
 ```

+#### `prefix`
+
+_Optional, Default="traefik"_
+
+The prefix to use for metrics collection.
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    prefix: traefik
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    prefix = "traefik"
+```
+
+```bash tab="CLI"
+--metrics.datadog.prefix=traefik
+```
--- a/docs/content/observability/metrics/influxdb.md
+++ b/docs/content/observability/metrics/influxdb.md
@@ -69,7 +69,7 @@ InfluxDB database used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    database: "db"
+    database: db
 ```

 ```toml tab="File (TOML)"
@@ -91,7 +91,7 @@ InfluxDB retention policy used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    retentionPolicy: "two_hours"
+    retentionPolicy: two_hours
 ```

 ```toml tab="File (TOML)"
@@ -113,7 +113,7 @@ InfluxDB username (only with http).
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    username: "john"
+    username: john
 ```

 ```toml tab="File (TOML)"
@@ -135,7 +135,7 @@ InfluxDB password (only with http).
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    password: "secret"
+    password: secret
 ```

 ```toml tab="File (TOML)"
@@ -176,18 +176,18 @@ _Optional, Default=false_

 Enable metrics on routers.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.addrouterslabels=true
 ```
@@ -229,9 +229,35 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.influxDB]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
 --metrics.influxdb.pushInterval=10s
 ```
+
+#### `additionalLabels`
+
+_Optional, Default={}_
+
+Additional labels (influxdb tags) on all metrics.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB:
+    additionalLabels:
+      host: example.com
+      environment: production
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    [metrics.influxDB.additionalLabels]
+      host = "example.com"
+      environment = "production"
+```
+
+```bash tab="CLI"
+--metrics.influxdb.additionallabels.host=example.com --metrics.influxdb.additionallabels.environment=production
+```
--- a/docs/content/observability/metrics/influxdb2.md
+++ b/docs/content/observability/metrics/influxdb2.md
@@ -0,0 +1,219 @@
+# InfluxDB v2
+
+To enable the InfluxDB2:
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+```
+
+```bash tab="CLI"
+--metrics.influxdb2=true
+```
+
+#### `address`
+
+_Required, Default="http://localhost:8086"_
+
+Address of the InfluxDB v2 instance.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    address: http://localhost:8086
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    address = "http://localhost:8086"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.address=http://localhost:8086
+```
+
+#### `token`
+
+_Required, Default=""_
+
+Token with which to connect to InfluxDB v2.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    token: secret
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    token = "secret"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.token=secret
+```
+
+#### `org`
+
+_Required, Default=""_
+
+Organisation where metrics will be stored.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    org: my-org
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    org = "my-org"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.org=my-org
+```
+
+#### `bucket`
+
+_Required, Default=""_
+
+Bucket where metrics will be stored.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    bucket: my-bucket
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    bucket = "my-bucket"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.bucket=my-bucket
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.addrouterslabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to InfluxDB server.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.pushInterval=10s
+```
+
+#### `additionalLabels`
+
+_Optional, Default={}_
+
+Additional labels (InfluxDB tags) on all metrics.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB2:
+    additionalLabels:
+      host: example.com
+      environment: production
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB2]
+    [metrics.influxDB2.additionalLabels]
+      host = "example.com"
+      environment = "production"
+```
+
+```bash tab="CLI"
+--metrics.influxdb2.additionallabels.host=example.com --metrics.influxdb2.additionallabels.environment=production
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -4,42 +4,27 @@ Traefik supports 4 metrics backends:

 - [Datadog](./datadog.md)
 - [InfluxDB](./influxdb.md)
+- [InfluxDB2](./influxdb2.md)
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)

-## Configuration
+## Global Metrics

-To enable metrics:
-
-```yaml tab="File (YAML)"
-metrics: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
-```
-
-```bash tab="CLI"
--metrics=true
-```
-
-## Server Metrics
-
-| Metric                                                                  | DataDog | InfluxDB | Prometheus | StatsD |
-|-------------------------------------------------------------------------|---------|----------|------------|--------|
-| [Configuration reloads](#configuration-reloads)                         | ✓       | ✓        | ✓          | ✓      |
-| [Configuration reload failures](#configuration-reload-failures)         | ✓       | ✓        | ✓          | ✓      |
-| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓        | ✓          | ✓      |
-| [Last Configuration Reload Failure](#last-configuration-reload-failure) | ✓       | ✓        | ✓          | ✓      |
+| Metric                                                                  | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
+|-------------------------------------------------------------------------|---------|----------------------|------------|--------|
+| [Configuration reloads](#configuration-reloads)                         | ✓       | ✓                    | ✓          | ✓      |
+| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓                    | ✓          | ✓      |
+| [TLS certificates expiration](#tls-certificates-expiration)             | ✓       | ✓                    | ✓          | ✓      |

 ### Configuration Reloads
+
 The total count of configuration reloads.

 ```dd tab="Datadog"
 config.reload.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.config.reload.total
 ```

@@ -52,34 +37,15 @@ traefik_config_reloads_total
 {prefix}.config.reload.total
 ```

-### Configuration Reload Failures
-The total count of configuration reload failures.
-
-```dd tab="Datadog"
-config.reload.total (with tag "failure" to true)
-```
-
-```influxdb tab="InfluDB"
-traefik.config.reload.total.failure
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_failure_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.config.reload.total.failure
-```
-
 ### Last Configuration Reload Success
+
 The timestamp of the last configuration reload success.

 ```dd tab="Datadog"
 config.reload.lastSuccessTimestamp
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.config.reload.lastSuccessTimestamp
 ```

@@ -92,45 +58,49 @@ traefik_config_last_reload_success
 {prefix}.config.reload.lastSuccessTimestamp
 ```

-### Last Configuration Reload Failure
-The timestamp of the last configuration reload failure.
+### TLS certificates expiration
+
+The expiration date of certificates.
+
+[Labels](#labels): `cn`, `sans`, `serial`.

 ```dd tab="Datadog"
-config.reload.lastFailureTimestamp
+tls.certs.notAfterTimestamp
 ```

-```influxdb tab="InfluDB"
-traefik.config.reload.lastFailureTimestamp
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.tls.certs.notAfterTimestamp
 ```

 ```prom tab="Prometheus"
-traefik_config_last_reload_failure
+traefik_tls_certs_not_after
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
-{prefix}.config.reload.lastFailureTimestamp
+{prefix}.tls.certs.notAfterTimestamp
 ```

 ## EntryPoint Metrics

-| Metric                                                    | DataDog | InfluxDB | Prometheus | StatsD |
-|-----------------------------------------------------------|---------|----------|------------|--------|
-| [HTTP Requests Count](#http-requests-count)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count)             |         |          | ✓          |        |
-| [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓        | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count)         | ✓       | ✓        | ✓          | ✓      |
+| Metric                                                    | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
+|-----------------------------------------------------------|---------|----------------------|------------|--------|
+| [HTTP Requests Count](#http-requests-count)               | ✓       | ✓                    | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count)             | ✓       | ✓                    | ✓          | ✓      |
+| [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓                    | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count)         | ✓       | ✓                    | ✓          | ✓      |

 ### HTTP Requests Count
-The total count of HTTP requests processed on an entrypoint.

-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+The total count of HTTP requests received by an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.request.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.entrypoint.requests.total
 ```

@@ -144,24 +114,39 @@ traefik_entrypoint_requests_total
 ```

 ### HTTPS Requests Count
-The total count of HTTPS requests processed on an entrypoint.

-Available labels: `tls_version`, `tls_cipher`, `entrypoint`.
+The total count of HTTPS requests received by an entrypoint.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.request.tls.total
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.entrypoint.requests.tls.total
+```

 ```prom tab="Prometheus"
 traefik_entrypoint_requests_tls_total
 ```

-### Request Duration Histogram
-Request process time duration histogram on an entrypoint.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.tls.total
+```

-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+### Request Duration Histogram
+
+Request processing duration histogram on an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.request.duration
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.entrypoint.request.duration
 ```

@@ -175,15 +160,16 @@ traefik_entrypoint_request_duration_seconds
 ```

 ### Open Connections Count
+
 The current count of open connections on an entrypoint.

-Available labels: `method`, `protocol`, `entrypoint`.
+[Labels](#labels): `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.connections.open
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.entrypoint.connections.open
 ```

@@ -196,27 +182,129 @@ traefik_entrypoint_open_connections
 {prefix}.entrypoint.connections.open
 ```

-## Service Metrics
+## Router Metrics

-| Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
-|-------------------------------------------------------------|---------|----------|------------|--------|
-| [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_1)             |         |          | ✓          |        |
-| [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓        | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count_1)         | ✓       | ✓        | ✓          | ✓      |
-| [Requests Retries Count](#requests-retries-count)           | ✓       | ✓        | ✓          | ✓      |
-| [Service Server UP](#service-server-up)                     | ✓       | ✓        | ✓          | ✓      |
+| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
+|-------------------------------------------------------------|---------|----------------------|------------|--------|
+| [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓                    | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count_1)             | ✓       | ✓                    | ✓          | ✓      |
+| [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓                    | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count_1)         | ✓       | ✓                    | ✓          | ✓      |

 ### HTTP Requests Count
+
+The total count of HTTP requests handled by a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.total
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.router.requests.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.total
+```
+
+### HTTPS Requests Count
+
+The total count of HTTPS requests handled by a router.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.tls.total
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.router.requests.tls.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_tls_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.tls.total
+```
+
+### Request Duration Histogram
+
+Request processing duration histogram on a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.duration
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.router.request.duration
+```
+
+```prom tab="Prometheus"
+traefik_router_request_duration_seconds
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.duration
+```
+
+### Open Connections Count
+
+The current count of open connections on a router.
+
+[Labels](#labels): `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.connections.open
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.router.connections.open
+```
+
+```prom tab="Prometheus"
+traefik_router_open_connections
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.connections.open
+```
+
+## Service Metrics
+
+| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
+|-------------------------------------------------------------|---------|----------------------|------------|--------|
+| [HTTP Requests Count](#http-requests-count_2)               | ✓       | ✓                    | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count_2)             | ✓       | ✓                    | ✓          | ✓      |
+| [Request Duration Histogram](#request-duration-histogram_2) | ✓       | ✓                    | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count_2)         | ✓       | ✓                    | ✓          | ✓      |
+| [Requests Retries Count](#requests-retries-count)           | ✓       | ✓                    | ✓          | ✓      |
+| [Service Server UP](#service-server-up)                     | ✓       | ✓                    | ✓          | ✓      |
+
+### HTTP Requests Count
+
 The total count of HTTP requests processed on a service.

-Available labels: `code`, `method`, `protocol`, `service`.
+[Labels](#labels): `code`, `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.request.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.requests.total
 ```

@@ -230,24 +318,39 @@ traefik_service_requests_total
 ```

 ### HTTPS Requests Count
+
 The total count of HTTPS requests processed on a service.

-Available labels: `tls_version`, `tls_cipher`, `service`.
+[Labels](#labels): `tls_version`, `tls_cipher`, `service`.
+
+```dd tab="Datadog"
+router.service.tls.total
+```
+
+```influxdb tab="InfluxDB / InfluxDB2"
+traefik.service.requests.tls.total
+```

 ```prom tab="Prometheus"
 traefik_service_requests_tls_total
 ```

-### Request Duration Histogram
-Request process time duration histogram on a service.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.tls.total
+```

-Available labels: `code`, `method`, `protocol`, `service`.
+### Request Duration Histogram
+
+Request processing duration histogram on a service.
+
+[Labels](#labels): `code`, `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.request.duration
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.request.duration
 ```

@@ -261,15 +364,16 @@ traefik_service_request_duration_seconds
 ```

 ### Open Connections Count
+
 The current count of open connections on a service.

-Available labels: `method`, `protocol`, `service`.
+[Labels](#labels): `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.connections.open
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.connections.open
 ```

@@ -283,15 +387,16 @@ traefik_service_open_connections
 ```

 ### Requests Retries Count
+
 The count of requests retries on a service.

-Available labels: `service`.
+[Labels](#labels): `service`.

 ```dd tab="Datadog"
 service.retries.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.retries.total
 ```

@@ -305,15 +410,16 @@ traefik_service_retries_total
 ```

 ### Service Server UP
+
 Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.

-Available labels: `service`, `url`.
+[Labels](#labels): `service`, `url`.

 ```dd tab="Datadog"
 service.server.up
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.server.up
 ```

@@ -325,3 +431,28 @@ traefik_service_server_up
 # Default prefix: "traefik"
 {prefix}.service.server.up
 ```
+
+## Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label         | Description                           | example                    |
+|---------------|---------------------------------------|----------------------------|
+| `cn`          | Certificate Common Name               | "example.com"              |
+| `code`        | Request code                          | "200"                      |
+| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
+| `method`      | Request Method                        | "GET"                      |
+| `protocol`    | Request protocol                      | "http"                     |
+| `router`      | Router that handled the request       | "example_router"           |
+| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
+| `serial`      | Certificate Serial Number             | "123..."                   |
+| `service`     | Service that handled the request      | "example_service@provider" |
+| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
+| `tls_version` | TLS version used for the request      | "1.0"                      |
+| `url`         | Service server url                    | "http://example.com"       |
+
+!!! info "`method` label value"
+
+    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+    then the value for the method label becomes `EXTENSION_METHOD`.
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -39,7 +39,7 @@ metrics:
 ```

 ```bash tab="CLI"
--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
+--metrics.prometheus.buckets=0.1,0.3,1.2,5.0
 ```

 #### `addEntryPointsLabels`
@@ -70,18 +70,18 @@ _Optional, Default=false_

 Enable metrics on routers.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  prometheus:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.addrouterslabels=true
 ```
@@ -117,7 +117,7 @@ Entry point used to expose metrics.
 ```yaml tab="File (YAML)"
 entryPoints:
  metrics:
-    address: ":8082"
+    address: :8082

 metrics:
  prometheus:
--- a/docs/content/observability/metrics/statsd.md
+++ b/docs/content/observability/metrics/statsd.md
@@ -66,18 +66,18 @@ _Optional, Default=false_

 Enable metrics on entry points.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  statsD:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.statsd.addrouterslabels=true
 ```
@@ -119,7 +119,7 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.statsD]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
@@ -145,5 +145,5 @@ metrics:
 ```

 ```bash tab="CLI"
--metrics.statsd.prefix="traefik"
+--metrics.statsd.prefix=traefik
 ```
--- a/docs/content/observability/tracing/instana.md
+++ b/docs/content/observability/tracing/instana.md
@@ -88,3 +88,25 @@ tracing:
 ```bash tab="CLI"
 --tracing.instana.logLevel=info
 ```
+
+#### `enableAutoProfile`
+
+_Required, Default=false_
+
+Enables [automatic profiling](https://www.ibm.com/docs/en/obi/current?topic=instana-profile-processes) for the Traefik process.
+
+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    enableAutoProfile: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    enableAutoProfile = true
+```
+
+```bash tab="CLI"
+--tracing.instana.enableAutoProfile=true
+```
--- a/docs/content/observability/tracing/jaeger.md
+++ b/docs/content/observability/tracing/jaeger.md
@@ -18,7 +18,7 @@ tracing:

 !!! warning
    Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
-    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collectors).
+    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collector).

 !!! info
    All Jaeger configuration can be overridden by [environment variables](https://github.com/jaegertracing/jaeger-client-go#environment-variables)
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -147,9 +147,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
 | `/api/tcp/services`            | Lists all the TCP services information.                                                     |
 | `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
+| `/api/udp/services`            | Lists all the UDP services information.                                                     |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
 | `/api/entrypoints`             | Lists all the entry points information.                                                     |
 | `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
 | `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
 | `/api/version`                 | Returns information about Traefik version.                                                  |
 | `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
 | `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
--- a/docs/content/plugins/index.md
+++ b/docs/content/plugins/index.md
@@ -1,5 +1,10 @@
 # Plugins and Traefik Pilot

+!!! warning "Traefik Pilot Deprecation"
+
+    Traefik Pilot is deprecated and will be removed soon.
+    Please check our Blog for migration instructions later this year.
+
 Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities.
 It offers a number of features to enhance observability and control of Traefik through a global control plane and dashboard, including:

--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -362,14 +362,14 @@ providers:

 _Optional_

-Defines TLS options for Consul server endpoint.
+Defines the TLS configuration used for the secure connection to Consul Catalog.

 ##### `ca`

 _Optional_

-Certificate Authority used for the secure connection to Consul,
-defaults to the system bundle.
+`ca` is the path to the certificate authority used for the secure connection to Consul Catalog,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -392,11 +392,11 @@ providers:

 _Optional_

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -423,8 +423,7 @@ providers:

 _Optional_

-`cert` is the path to the public certificate to use for Consul communication.
-
+`cert` is the path to the public certificate used for the secure connection to Consul Catalog.
 When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
@@ -451,8 +450,7 @@ providers:

 _Optional_

-`key` is the path to the private key for Consul communication.
-
+`key` is the path to the private key used for the secure connection to Consul Catalog.
 When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
@@ -477,7 +475,7 @@ providers:

 ##### `insecureSkipVerify`

-_Optional_
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

@@ -694,3 +692,56 @@ providers:
 ```

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `namespace`
+
+_Optional, Default=""_
+
+The `namespace` option defines the namespace in which the consul catalog services will be discovered.
+
+!!! warning
+
+    The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
+    which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    namespace: "production" 
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  namespace = "production"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.namespace=production
+# ...
+```
+
+### `watch`
+
+_Optional, Default=false_
+
+When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)).
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    watch: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  watch = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.watch=true
+# ...
+```
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:8500"_

-Defines how to access to Consul.
+Defines how to access Consul.

 ```yaml tab="File (YAML)"
 providers:
@@ -54,6 +54,34 @@ providers:
 --providers.consul.rootkey=traefik
 ```

+### `namespace`
+
+_Optional, Default=""_
+
+The `namespace` option defines the namespace to query.
+
+!!! warning
+
+    The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
+    which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    namespace: "production"
+```
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  namespace = "production"
+```
+
+```bash tab="CLI"
+--providers.consul.namespace=production
+```
+
 ### `username`

 _Optional, Default=""_
@@ -97,17 +125,44 @@ providers:
 ```

 ```bash tab="CLI"
--providers.consul.password=foo
+--providers.consul.password=bar
+```
+
+### `token`
+
+_Optional, Default=""_
+
+Defines a token with which to connect to Consul.
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    token: "bar"
+```
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  token = "bar"
+```
+
+```bash tab="CLI"
+--providers.consul.token=bar
 ```

 ### `tls`

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Consul.

-Certificate Authority used for the secure connection to Consul,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Consul,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -125,13 +180,15 @@ providers:
 --providers.consul.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -153,9 +210,12 @@ providers:
 --providers.consul.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Consul.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Consul.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -176,9 +236,12 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Consul.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Consul.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -199,7 +262,9 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -252,7 +252,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.5 # The official v2 Traefik docker image
+         image: traefik:v2.7 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -550,11 +550,11 @@ providers:

 _Optional, Default=""_

-The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
-to create any route for that container. If none of the container tags match the expression, no route for that container is
+The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
+to create any route for that container. If none of the container labels match the expression, no route for that container is
 created. If the expression is empty, all detected containers are included.

-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
 as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"
@@ -613,10 +613,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Docker.

-Certificate Authority used for the secure connection to Docker,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Docker,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -634,13 +638,15 @@ providers:
 --providers.docker.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -662,9 +668,10 @@ providers:
 --providers.docker.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Docker.
+`cert` is the path to the public certificate used for the secure connection to Docker.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -685,9 +692,12 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Docker.
+_Optional_
+
+`key` is the path to the private key used for the secure connection Docker.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -708,7 +718,9 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/etcd.md
+++ b/docs/content/providers/etcd.md
@@ -104,10 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to etcd.

-Certificate Authority used for the secure connection to etcd,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to etcd,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -125,13 +129,15 @@ providers:
 --providers.etcd.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -153,9 +159,12 @@ providers:
 --providers.etcd.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to etcd.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to etcd.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -176,9 +185,12 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to etcd.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to etcd.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -199,7 +211,9 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -17,8 +17,7 @@ Defines the HTTP(S) endpoint to poll.
 ```yaml tab="File (YAML)"
 providers:
  http:
-    endpoint:
-      - "http://127.0.0.1:9000/api"
+    endpoint: "http://127.0.0.1:9000/api"
 ```

 ```toml tab="File (TOML)"
@@ -55,7 +54,7 @@ providers:

 _Optional, Default="5s"_

-Defines the polling timeout when connecting to the configured endpoint.
+Defines the polling timeout when connecting to the endpoint.

 ```yaml tab="File (YAML)"
 providers:
@@ -76,10 +75,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the endpoint.

-Certificate Authority used for the secure connection to the configured endpoint,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the endpoint,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -97,13 +100,15 @@ providers:
 --providers.http.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -125,9 +130,12 @@ providers:
 --providers.http.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the endpoint.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -148,9 +156,12 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the endpoint.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -171,7 +182,9 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -195,13 +195,13 @@ See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-
 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    labelselector: "app=traefik"
+    labelSelector: "app=traefik"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  labelselector = "app=traefik"
+  labelSelector = "app=traefik"
  # ...
 ```

@@ -264,11 +264,38 @@ providers:
 --providers.kubernetescrd.throttleDuration=10s
 ```

+### `allowEmptyServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Kubernetes service has no endpoints available.
+With IngressRoute resources,
+this results in `503` HTTP responses instead of `404` ones.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    allowEmptyServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowEmptyServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesCRD.allowEmptyServices=true
+```
+
 ### `allowCrossNamespace`

 _Optional, Default: false_

-If the parameter is set to `true`, IngressRoutes are  able to reference  resources in other namespaces than theirs.
+If the parameter is set to `true`,
+IngressRoute are able to reference resources in namespaces other than theirs.

 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -9,7 +9,7 @@ The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specifications from the Kubernetes Special Interest Groups (SIGs).

-This provider is proposed as an experimental feature and partially supports the Gateway API [v0.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.3.0) specification.
+This provider is proposed as an experimental feature and partially supports the Gateway API [v0.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.4.0) specification.

 !!! warning "Enabling The Experimental Kubernetes Gateway Provider"

@@ -41,7 +41,7 @@ This provider is proposed as an experimental feature and partially supports the
 !!! tip "All Steps for a Successful Deployment"

    * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
-    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources.
+    * Add/update the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) for the Traefik custom resources.
    * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).

 ## Examples
@@ -62,9 +62,9 @@ This provider is proposed as an experimental feature and partially supports the

    ```yaml tab="Gateway API CRDs"
    # All resources definition must be declared
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml"
    ```

    ```yaml tab="RBAC"
@@ -73,17 +73,17 @@ This provider is proposed as an experimental feature and partially supports the

 The Kubernetes Gateway API project provides several guides on how to use the APIs.
 These guides can help you to go further than the example above.
-The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha1/guides/getting-started/) details how to install the CRDs from their repository.
+The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) details how to install the CRDs from their repository.

 !!! note ""

-    Keep in mind that the Traefik Gateway provider only supports the `v0.3.0` (v1alpha1).
+    Keep in mind that the Traefik Gateway provider only supports the `v0.4.0` (v1alpha2).

 For now, the Traefik Gateway Provider can be used while following the below guides:

-* [Simple Gateway](https://gateway-api.sigs.k8s.io/v1alpha1/guides/simple-gateway/)
-* [HTTP routing](https://gateway-api.sigs.k8s.io/v1alpha1/guides/http-routing/)
-* [TLS](https://gateway-api.sigs.k8s.io/v1alpha1/guides/tls/)
+* [Simple Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/guides/simple-gateway/)
+* [HTTP routing](https://gateway-api.sigs.k8s.io/v1alpha2/guides/http-routing/)
+* [TLS](https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/)

 ## Resource Configuration

--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -229,7 +229,7 @@ See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-
 ```yaml tab="File (YAML)"
 providers:
  kubernetesIngress:
-    labelselector: "app=traefik"
+    labelSelector: "app=traefik"
    # ...
 ```

@@ -445,7 +445,11 @@ providers:

 ### `allowEmptyServices`

-_Optional, Default: false
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Kubernetes service has no endpoints available.
+This results in `503` HTTP responses instead of `404` ones.

 ```yaml tab="File (YAML)"
 providers:
@@ -464,14 +468,12 @@ providers:
 --providers.kubernetesingress.allowEmptyServices=true
 ```

-Allow the creation of services if there are no endpoints available.
-This results in `503` http responses instead of `404`.
-
 ### `allowExternalNameServices`

 _Optional, Default: false_

-If the parameter is set to `true`, Ingresses are able to reference ExternalName services.
+If the parameter is set to `true`,
+Ingresses are able to reference ExternalName services.

 ```yaml tab="File (YAML)"
 providers:
@@ -493,4 +495,4 @@ providers:
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.5/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -404,10 +404,12 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Marathon.

-Certificate Authority used for the secure connection to Marathon,
-defaults to the system bundle.
+#### `ca`
+
+`ca` is the path to the certificate authority used for the secure connection to Marathon,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -425,13 +427,15 @@ providers:
 --providers.marathon.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -453,9 +457,12 @@ providers:
 --providers.marathon.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Marathon.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Marathon.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -476,9 +483,12 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Marathon.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Marathon.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -499,7 +509,9 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.

@@ -532,18 +544,18 @@ see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 ```yaml tab="File (YAML)"
 providers:
  marathon:
-    responseHeaderTimeout: "10s"
+    tlsHandshakeTimeout: "10s"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.marathon]
-  responseHeaderTimeout = "10s"
+  tlsHandshakeTimeout = "10s"
  # ...
 ```

 ```bash tab="CLI"
--providers.marathon.responseHeaderTimeout=10s
+--providers.marathon.tlsHandshakeTimeout=10s
 # ...
 ```

--- a/docs/content/providers/redis.md
+++ b/docs/content/providers/redis.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:6379"_

-Defines how to access to Redis.
+Defines how to access Redis.

 ```yaml tab="File (YAML)"
 providers:
@@ -104,10 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Redis.

-Certificate Authority used for the secure connection to Redis,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Redis,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -125,13 +129,15 @@ providers:
 --providers.redis.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -153,9 +159,12 @@ providers:
 --providers.redis.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Redis.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Redis.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -176,9 +185,12 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Redis.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Redis.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -199,7 +211,9 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/zookeeper.md
+++ b/docs/content/providers/zookeeper.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:2181"_

-Defines how to access to ZooKeeper.
+Defines how to access ZooKeeper.

 ```yaml tab="File (YAML)"
 providers:
@@ -104,10 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to ZooKeeper.

-Certificate Authority used for the secure connection to ZooKeeper,
-defaults to the system bundle.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to ZooKeeper,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -125,13 +129,15 @@ providers:
 --providers.zookeeper.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -153,9 +159,12 @@ providers:
 --providers.zookeeper.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to ZooKeeper.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -176,9 +185,12 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to ZooKeeper.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -199,7 +211,9 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -13,6 +13,7 @@
 - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.compress=true"
 - "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
+- "traefik.http.middlewares.middleware05.compress.minresponsebodybytes=42"
 - "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
 - "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
@@ -90,6 +91,7 @@
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organizationalunit=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
@@ -163,6 +165,7 @@
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.rule=foobar"
+- "traefik.tcp.routers.tcprouter0.priority=42"
 - "traefik.tcp.routers.tcprouter0.service=foobar"
 - "traefik.tcp.routers.tcprouter0.tls=true"
 - "traefik.tcp.routers.tcprouter0.tls.certresolver=foobar"
@@ -175,6 +178,7 @@
 - "traefik.tcp.routers.tcprouter1.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter1.middlewares=foobar, foobar"
 - "traefik.tcp.routers.tcprouter1.rule=foobar"
+- "traefik.tcp.routers.tcprouter1.priority=42"
 - "traefik.tcp.routers.tcprouter1.service=foobar"
 - "traefik.tcp.routers.tcprouter1.tls=true"
 - "traefik.tcp.routers.tcprouter1.tls.certresolver=foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -95,6 +95,12 @@
            secure = true
            httpOnly = true
            sameSite = "foobar"
+    [http.services.Service04]
+      [http.services.Service04.failover]
+        service = "foobar"
+        fallback = "foobar"
+
+      [http.services.Service04.failover.healthCheck]
  [http.middlewares]
    [http.middlewares.Middleware00]
      [http.middlewares.Middleware00.addPrefix]
@@ -122,6 +128,7 @@
    [http.middlewares.Middleware05]
      [http.middlewares.Middleware05.compress]
        excludedContentTypes = ["foobar", "foobar"]
+        minResponseBodyBytes = 42
    [http.middlewares.Middleware06]
      [http.middlewares.Middleware06.contentType]
        autoDetect = true
@@ -217,6 +224,7 @@
            province = true
            locality = true
            organization = true
+            organizationalUnit = true
            commonName = true
            serialNumber = true
            domainComponent = true
@@ -318,6 +326,7 @@
      middlewares = ["foobar", "foobar"]
      service = "foobar"
      rule = "foobar"
+      priority = 42
      [tcp.routers.TCPRouter0.tls]
        passthrough = true
        options = "foobar"
@@ -335,6 +344,7 @@
      middlewares = ["foobar", "foobar"]
      service = "foobar"
      rule = "foobar"
+      priority = 42
      [tcp.routers.TCPRouter1.tls]
        passthrough = true
        options = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -95,6 +95,11 @@ http:
            secure: true
            httpOnly: true
            sameSite: foobar
+    Service04:
+      failover:
+        service: foobar
+        fallback: foobar
+        healthCheck: {}
  middlewares:
    Middleware00:
      addPrefix:
@@ -128,6 +133,7 @@ http:
        excludedContentTypes:
        - foobar
        - foobar
+        minResponseBodyBytes: 42
    Middleware06:
      contentType:
        autoDetect: true
@@ -250,6 +256,7 @@ http:
            province: true
            locality: true
            organization: true
+            organizationalUnit: true
            commonName: true
            serialNumber: true
            domainComponent: true
@@ -359,6 +366,7 @@ tcp:
      - foobar
      service: foobar
      rule: foobar
+      priority: 42
      tls:
        passthrough: true
        options: foobar
@@ -381,6 +389,7 @@ tcp:
      - foobar
      service: foobar
      rule: foobar
+      priority: 42
      tls:
        passthrough: true
        options: foobar
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml
@@ -4,11 +4,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
  creationTimestamp: null
-  name: gatewayclasses.networking.x-k8s.io
+  name: gatewayclasses.gateway.networking.k8s.io
 spec:
-  group: networking.x-k8s.io
+  group: gateway.networking.k8s.io
  names:
    categories:
    - gateway-api
@@ -27,12 +27,26 @@ spec:
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
-    name: v1alpha1
+    - jsonPath: .spec.description
+      name: Description
+      priority: 1
+      type: string
+    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: "GatewayClass describes a class of Gateways available to the
-          user for creating Gateway resources. \n GatewayClass is a Cluster level
-          resource."
+          user for creating Gateway resources. \n It is recommended that this resource
+          be used as a template for Gateways. This means that a Gateway is based on
+          the state of the GatewayClass at the time it was created and changes to
+          the GatewayClass or associated parameters are not propagated down to existing
+          Gateways. This recommendation is intended to limit the blast radius of changes
+          to GatewayClass or associated parameters. If implementations choose to propagate
+          GatewayClass changes to existing Gateways, that MUST be clearly documented
+          by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
+          implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+          finalizer on the associated GatewayClass. This ensures that a GatewayClass
+          associated with a Gateway is not deleted while in use. \n GatewayClass is
+          a Cluster level resource."
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -49,14 +63,18 @@ spec:
          spec:
            description: Spec defines the desired state of GatewayClass.
            properties:
-              controller:
-                description: "Controller is a domain/path string that indicates the
-                  controller that is managing Gateways of this class. \n Example:
-                  \"acme.io/gateway-controller\". \n This field is not mutable and
-                  cannot be empty. \n The format of this field is DOMAIN \"/\" PATH,
-                  where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-                  \n Support: Core"
+              controllerName:
+                description: "ControllerName is the name of the controller that is
+                  managing Gateways of this class. The value of this field MUST be
+                  a domain prefixed path. \n Example: \"example.net/gateway-controller\".
+                  \n This field is not mutable and cannot be empty. \n Support: Core"
                maxLength: 253
+                minLength: 1
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                type: string
+              description:
+                description: Description helps describe a GatewayClass with more details.
+                maxLength: 64
                type: string
              parametersRef:
                description: "ParametersRef is a reference to a resource that contains
@@ -71,12 +89,13 @@ spec:
                  group:
                    description: Group is the group of the referent.
                    maxLength: 253
-                    minLength: 1
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                    type: string
                  kind:
                    description: Kind is kind of the referent.
-                    maxLength: 253
+                    maxLength: 63
                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
                    type: string
                  name:
                    description: Name is the name of the referent.
@@ -85,18 +104,11 @@ spec:
                    type: string
                  namespace:
                    description: Namespace is the namespace of the referent. This
-                      field is required when scope is set to "Namespace" and ignored
-                      when scope is set to "Cluster".
-                    maxLength: 253
+                      field is required when referring to a Namespace-scoped resource
+                      and MUST be unset when referring to a Cluster-scoped resource.
+                    maxLength: 63
                    minLength: 1
-                    type: string
-                  scope:
-                    default: Cluster
-                    description: Scope represents if the referent is a Cluster or
-                      Namespace scoped resource. This may be set to "Cluster" or "Namespace".
-                    enum:
-                    - Cluster
-                    - Namespace
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                    type: string
                required:
                - group
@@ -104,7 +116,7 @@ spec:
                - name
                type: object
            required:
-            - controller
+            - controllerName
            type: object
          status:
            default:
@@ -112,8 +124,8 @@ spec:
              - lastTransitionTime: "1970-01-01T00:00:00Z"
                message: Waiting for controller
                reason: Waiting
-                status: "False"
-                type: Admitted
+                status: Unknown
+                type: Accepted
            description: Status defines the current state of GatewayClass.
            properties:
              conditions:
@@ -121,8 +133,8 @@ spec:
                - lastTransitionTime: "1970-01-01T00:00:00Z"
                  message: Waiting for controller
                  reason: Waiting
-                  status: "False"
-                  type: Admitted
+                  status: Unknown
+                  type: Accepted
                description: "Conditions is the current status from the controller
                  for this GatewayClass. \n Controllers should prefer to publish conditions
                  using values of GatewayClassConditionType for the type of each Condition."
@@ -199,6 +211,8 @@ spec:
                - type
                x-kubernetes-list-type: map
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml
@@ -4,11 +4,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
  creationTimestamp: null
-  name: gateways.networking.x-k8s.io
+  name: gateways.gateway.networking.k8s.io
 spec:
-  group: networking.x-k8s.io
+  group: gateway.networking.k8s.io
  names:
    categories:
    - gateway-api
@@ -24,18 +24,20 @@ spec:
    - jsonPath: .spec.gatewayClassName
      name: Class
      type: string
+    - jsonPath: .status.addresses[*].value
+      name: Address
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
-    name: v1alpha1
+    name: v1alpha2
    schema:
      openAPIV3Schema:
-        description: "Gateway represents an instantiation of a service-traffic handling
-          infrastructure by binding Listeners to a set of IP addresses. \n Implementations
-          should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer
-          on the associated GatewayClass whenever Gateway(s) is running. This ensures
-          that a GatewayClass associated with a Gateway(s) is not deleted while in
-          use."
+        description: Gateway represents an instance of a service-traffic handling
+          infrastructure by binding Listeners to a set of IP addresses.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -53,24 +55,32 @@ spec:
            description: Spec defines the desired state of Gateway.
            properties:
              addresses:
-                description: "Addresses requested for this gateway. This is optional
-                  and behavior can depend on the GatewayClass. If a value is set in
-                  the spec and the requested address is invalid, the GatewayClass
-                  MUST indicate this in the associated entry in GatewayStatus.Addresses.
-                  \n If no Addresses are specified, the GatewayClass may schedule
-                  the Gateway in an implementation-defined manner, assigning an appropriate
-                  set of Addresses. \n The GatewayClass MUST bind all Listeners to
-                  every GatewayAddress that it assigns to the Gateway. \n Support:
-                  Core"
+                description: "Addresses requested for this Gateway. This is optional
+                  and behavior can depend on the implementation. If a value is set
+                  in the spec and the requested address is invalid or unavailable,
+                  the implementation MUST indicate this in the associated entry in
+                  GatewayStatus.Addresses. \n The Addresses field represents a request
+                  for the address(es) on the \"outside of the Gateway\", that traffic
+                  bound for this Gateway will use. This could be the IP address or
+                  hostname of an external load balancer or other networking infrastructure,
+                  or some other address that traffic will be sent to. \n The .listener.hostname
+                  field is used to route traffic that has already arrived at the Gateway
+                  to the correct in-cluster destination. \n If no Addresses are specified,
+                  the implementation MAY schedule the Gateway in an implementation-specific
+                  manner, assigning an appropriate set of Addresses. \n The implementation
+                  MUST bind all Listeners to every GatewayAddress that it assigns
+                  to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
+                  \n Support: Core"
                items:
                  description: GatewayAddress describes an address that can be bound
                    to a Gateway.
                  properties:
                    type:
                      default: IPAddress
-                      description: "Type of the address. \n Support: Extended"
+                      description: Type of the address.
                      enum:
                      - IPAddress
+                      - Hostname
                      - NamedAddress
                      type: string
                    value:
@@ -94,130 +104,96 @@ spec:
              listeners:
                description: "Listeners associated with this Gateway. Listeners define
                  logical endpoints that are bound on this Gateway's addresses. At
-                  least one Listener MUST be specified. \n An implementation MAY group
-                  Listeners by Port and then collapse each group of Listeners into
-                  a single Listener if the implementation determines that the Listeners
-                  in the group are \"compatible\". An implementation MAY also group
-                  together and collapse compatible Listeners belonging to different
-                  Gateways. \n For example, an implementation might consider Listeners
-                  to be compatible with each other if all of the following conditions
-                  are met: \n 1. Either each Listener within the group specifies the
-                  \"HTTP\"    Protocol or each Listener within the group specifies
-                  either    the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener
-                  within the group specifies a Hostname that is unique    within the
-                  group. \n 3. As a special case, one Listener within a group may
-                  omit Hostname,    in which case this Listener matches when no other
-                  Listener    matches. \n If the implementation does collapse compatible
-                  Listeners, the hostname provided in the incoming client request
-                  MUST be matched to a Listener to find the correct set of Routes.
-                  The incoming hostname MUST be matched using the Hostname field for
-                  each Listener in order of most to least specific. That is, exact
-                  matches must be processed before wildcard matches. \n If this field
-                  specifies multiple Listeners that have the same Port value but are
-                  not compatible, the implementation must raise a \"Conflicted\" condition
-                  in the Listener status. \n Support: Core"
+                  least one Listener MUST be specified. \n Each listener in a Gateway
+                  must have a unique combination of Hostname, Port, and Protocol.
+                  \n An implementation MAY group Listeners by Port and then collapse
+                  each group of Listeners into a single Listener if the implementation
+                  determines that the Listeners in the group are \"compatible\". An
+                  implementation MAY also group together and collapse compatible Listeners
+                  belonging to different Gateways. \n For example, an implementation
+                  might consider Listeners to be compatible with each other if all
+                  of the following conditions are met: \n 1. Either each Listener
+                  within the group specifies the \"HTTP\"    Protocol or each Listener
+                  within the group specifies either    the \"HTTPS\" or \"TLS\" Protocol.
+                  \n 2. Each Listener within the group specifies a Hostname that is
+                  unique    within the group. \n 3. As a special case, one Listener
+                  within a group may omit Hostname,    in which case this Listener
+                  matches when no other Listener    matches. \n If the implementation
+                  does collapse compatible Listeners, the hostname provided in the
+                  incoming client request MUST be matched to a Listener to find the
+                  correct set of Routes. The incoming hostname MUST be matched using
+                  the Hostname field for each Listener in order of most to least specific.
+                  That is, exact matches must be processed before wildcard matches.
+                  \n If this field specifies multiple Listeners that have the same
+                  Port value but are not compatible, the implementation must raise
+                  a \"Conflicted\" condition in the Listener status. \n Support: Core"
                items:
                  description: Listener embodies the concept of a logical endpoint
-                    where a Gateway can accept network connections. Each listener
-                    in a Gateway must have a unique combination of Hostname, Port,
-                    and Protocol. This will be enforced by a validating webhook.
+                    where a Gateway accepts network connections.
                  properties:
-                    hostname:
-                      description: "Hostname specifies the virtual hostname to match
-                        for protocol types that define this concept. When unspecified,
-                        \"\", or `*`, all hostnames are matched. This field can be
-                        omitted for protocols that don't require hostname based matching.
-                        \n Hostname is the fully qualified domain name of a network
-                        host, as defined by RFC 3986. Note the following deviations
-                        from the \"host\" part of the URI as defined in the RFC: \n
-                        1. IP literals are not allowed. 2. The `:` delimiter is not
-                        respected because ports are not allowed. \n Hostname can be
-                        \"precise\" which is a domain name without the terminating
-                        dot of a network host (e.g. \"foo.example.com\") or \"wildcard\",
-                        which is a domain name prefixed with a single wildcard label
-                        (e.g. `*.example.com`). The wildcard character `*` must appear
-                        by itself as the first DNS label and matches only a single
-                        label. \n Support: Core"
-                      maxLength: 253
-                      minLength: 1
-                      type: string
-                    port:
-                      description: "Port is the network port. Multiple listeners may
-                        use the same port, subject to the Listener compatibility rules.
+                    allowedRoutes:
+                      default:
+                        namespaces:
+                          from: Same
+                      description: "AllowedRoutes defines the types of routes that
+                        MAY be attached to a Listener and the trusted namespaces where
+                        those Route resources MAY be present. \n Although a client
+                        request may match multiple route rules, only one rule may
+                        ultimately receive the request. Matching precedence MUST be
+                        determined in order of the following criteria: \n * The most
+                        specific match as defined by the Route type. * The oldest
+                        Route based on creation timestamp. For example, a Route with
+                        \  a creation timestamp of \"2020-09-08 01:02:03\" is given
+                        precedence over   a Route with a creation timestamp of \"2020-09-08
+                        01:02:04\". * If everything else is equivalent, the Route
+                        appearing first in   alphabetical order (namespace/name) should
+                        be given precedence. For   example, foo/bar is given precedence
+                        over foo/baz. \n All valid rules within a Route attached to
+                        this Listener should be implemented. Invalid Route rules can
+                        be ignored (sometimes that will mean the full Route). If a
+                        Route rule transitions from valid to invalid, support for
+                        that Route rule should be dropped to ensure consistency. For
+                        example, even if a filter specified by a Route rule is invalid,
+                        the rest of the rules within that Route should still be supported.
                        \n Support: Core"
-                      format: int32
-                      maximum: 65535
-                      minimum: 1
-                      type: integer
-                    protocol:
-                      description: "Protocol specifies the network protocol this listener
-                        expects to receive. The GatewayClass MUST apply the Hostname
-                        match appropriately for each protocol: \n * For the \"TLS\"
-                        protocol, the Hostname match MUST be   applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)
-                        \  server name offered by the client. * For the \"HTTP\" protocol,
-                        the Hostname match MUST be   applied to the host portion of
-                        the   [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
-                        \  or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
-                        * For the \"HTTPS\" protocol, the Hostname match MUST be   applied
-                        at both the TLS and HTTP protocol layers. \n Support: Core"
-                      type: string
-                    routes:
-                      description: "Routes specifies a schema for associating routes
-                        with the Listener using selectors. A Route is a resource capable
-                        of servicing a request and allows a cluster operator to expose
-                        a cluster resource (i.e. Service) by externally-reachable
-                        URL, load-balance traffic and terminate SSL/TLS.  Typically,
-                        a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\",
-                        however, an implementation may support other types of resources.
-                        \n The Routes selector MUST select a set of objects that are
-                        compatible with the application protocol specified in the
-                        Protocol field. \n Although a client request may technically
-                        match multiple route rules, only one rule may ultimately receive
-                        the request. Matching precedence MUST be determined in order
-                        of the following criteria: \n * The most specific match. For
-                        example, the most specific HTTPRoute match   is determined
-                        by the longest matching combination of hostname and path.
-                        * The oldest Route based on creation timestamp. For example,
-                        a Route with   a creation timestamp of \"2020-09-08 01:02:03\"
-                        is given precedence over   a Route with a creation timestamp
-                        of \"2020-09-08 01:02:04\". * If everything else is equivalent,
-                        the Route appearing first in   alphabetical order (namespace/name)
-                        should be given precedence. For   example, foo/bar is given
-                        precedence over foo/baz. \n All valid portions of a Route
-                        selected by this field should be supported. Invalid portions
-                        of a Route can be ignored (sometimes that will mean the full
-                        Route). If a portion of a Route transitions from valid to
-                        invalid, support for that portion of the Route should be dropped
-                        to ensure consistency. For example, even if a filter specified
-                        by a Route is invalid, the rest of the Route should still
-                        be supported. \n Support: Core"
                      properties:
-                        group:
-                          default: networking.x-k8s.io
-                          description: "Group is the group of the route resource to
-                            select. Omitting the value or specifying the empty string
-                            indicates the networking.x-k8s.io API group. For example,
-                            use the following to select an HTTPRoute: \n routes:   kind:
-                            HTTPRoute \n Otherwise, if an alternative API group is
-                            desired, specify the desired group: \n routes:   group:
-                            acme.io   kind: FooRoute \n Support: Core"
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        kind:
-                          description: "Kind is the kind of the route resource to
-                            select. \n Kind MUST correspond to kinds of routes that
-                            are compatible with the application protocol specified
-                            in the Listener's Protocol field. \n If an implementation
-                            does not support or recognize this resource type, it SHOULD
-                            set the \"ResolvedRefs\" condition to false for this listener
-                            with the \"InvalidRoutesRef\" reason. \n Support: Core"
-                          type: string
+                        kinds:
+                          description: "Kinds specifies the groups and kinds of Routes
+                            that are allowed to bind to this Gateway Listener. When
+                            unspecified or empty, the kinds of Routes selected are
+                            determined using the Listener protocol. \n A RouteGroupKind
+                            MUST correspond to kinds of Routes that are compatible
+                            with the application protocol specified in the Listener's
+                            Protocol field. If an implementation does not support
+                            or recognize this resource type, it MUST set the \"ResolvedRefs\"
+                            condition to False for this Listener with the \"InvalidRoutesRef\"
+                            reason. \n Support: Core"
+                          items:
+                            description: RouteGroupKind indicates the group and kind
+                              of a Route resource.
+                            properties:
+                              group:
+                                default: gateway.networking.k8s.io
+                                description: Group is the group of the Route.
+                                maxLength: 253
+                                pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                type: string
+                              kind:
+                                description: Kind is the kind of the Route.
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                type: string
+                            required:
+                            - kind
+                            type: object
+                          maxItems: 8
+                          type: array
                        namespaces:
                          default:
                            from: Same
-                          description: "Namespaces indicates in which namespaces Routes
-                            should be selected for this Gateway. This is restricted
+                          description: "Namespaces indicates namespaces from which
+                            Routes may be attached to this Listener. This is restricted
                            to the namespace of this Gateway by default. \n Support:
                            Core"
                          properties:
@@ -286,156 +262,180 @@ spec:
                                  type: object
                              type: object
                          type: object
-                        selector:
-                          description: "Selector specifies a set of route labels used
-                            for selecting routes to associate with the Gateway. If
-                            this Selector is defined, only routes matching the Selector
-                            are associated with the Gateway. An empty Selector matches
-                            all routes. \n Support: Core"
-                          properties:
-                            matchExpressions:
-                              description: matchExpressions is a list of label selector
-                                requirements. The requirements are ANDed.
-                              items:
-                                description: A label selector requirement is a selector
-                                  that contains values, a key, and an operator that
-                                  relates the key and values.
-                                properties:
-                                  key:
-                                    description: key is the label key that the selector
-                                      applies to.
-                                    type: string
-                                  operator:
-                                    description: operator represents a key's relationship
-                                      to a set of values. Valid operators are In,
-                                      NotIn, Exists and DoesNotExist.
-                                    type: string
-                                  values:
-                                    description: values is an array of string values.
-                                      If the operator is In or NotIn, the values array
-                                      must be non-empty. If the operator is Exists
-                                      or DoesNotExist, the values array must be empty.
-                                      This array is replaced during a strategic merge
-                                      patch.
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - key
-                                - operator
-                                type: object
-                              type: array
-                            matchLabels:
-                              additionalProperties:
-                                type: string
-                              description: matchLabels is a map of {key,value} pairs.
-                                A single {key,value} in the matchLabels map is equivalent
-                                to an element of matchExpressions, whose key field
-                                is "key", the operator is "In", and the values array
-                                contains only "value". The requirements are ANDed.
-                              type: object
-                          type: object
-                      required:
-                      - kind
                      type: object
+                    hostname:
+                      description: "Hostname specifies the virtual hostname to match
+                        for protocol types that define this concept. When unspecified,
+                        all hostnames are matched. This field is ignored for protocols
+                        that don't require hostname based matching. \n Implementations
+                        MUST apply Hostname matching appropriately for each of the
+                        following protocols: \n * TLS: The Listener Hostname MUST
+                        match the SNI. * HTTP: The Listener Hostname MUST match the
+                        Host header of the request. * HTTPS: The Listener Hostname
+                        SHOULD match at both the TLS and HTTP   protocol layers as
+                        described above. If an implementation does not   ensure that
+                        both the SNI and Host header match the Listener hostname,
+                        \  it MUST clearly document that. \n For HTTPRoute and TLSRoute
+                        resources, there is an interaction with the `spec.hostnames`
+                        array. When both listener and route specify hostnames, there
+                        MUST be an intersection between the values for a Route to
+                        be accepted. For more information, refer to the Route specific
+                        Hostnames documentation. \n Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    name:
+                      description: "Name is the name of the Listener. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    port:
+                      description: "Port is the network port. Multiple listeners may
+                        use the same port, subject to the Listener compatibility rules.
+                        \n Support: Core"
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: "Protocol specifies the network protocol this listener
+                        expects to receive. \n Support: Core"
+                      maxLength: 255
+                      minLength: 1
+                      pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+                      type: string
                    tls:
                      description: "TLS is the TLS configuration for the Listener.
                        This field is required if the Protocol field is \"HTTPS\"
-                        or \"TLS\" and ignored otherwise. \n The association of SNIs
-                        to Certificate defined in GatewayTLSConfig is defined based
-                        on the Hostname field for this listener. \n The GatewayClass
+                        or \"TLS\". It is invalid to set this field if the Protocol
+                        field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
+                        of SNIs to Certificate defined in GatewayTLSConfig is defined
+                        based on the Hostname field for this listener. \n The GatewayClass
                        MUST use the longest matching SNI out of all available certificates
                        for any TLS handshake. \n Support: Core"
                      properties:
-                        certificateRef:
-                          description: "CertificateRef is a reference to a Kubernetes
-                            object that contains a TLS certificate and private key.
-                            This certificate is used to establish a TLS handshake
-                            for requests that match the hostname of the associated
-                            listener. The referenced object MUST reside in the same
-                            namespace as Gateway. \n This field is required when mode
-                            is set to \"Terminate\" (default) and optional otherwise.
-                            \n CertificateRef can reference a standard Kubernetes
-                            resource, i.e. Secret, or an implementation-specific custom
-                            resource. \n Support: Core (Kubernetes Secrets) \n Support:
-                            Implementation-specific (Other resource types)"
-                          properties:
-                            group:
-                              description: Group is the group of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            kind:
-                              description: Kind is kind of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            name:
-                              description: Name is the name of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                          required:
-                          - group
-                          - kind
-                          - name
-                          type: object
+                        certificateRefs:
+                          description: "CertificateRefs contains a series of references
+                            to Kubernetes objects that contains TLS certificates and
+                            private keys. These certificates are used to establish
+                            a TLS handshake for requests that match the hostname of
+                            the associated listener. \n A single CertificateRef to
+                            a Kubernetes Secret has \"Core\" support. Implementations
+                            MAY choose to support attaching multiple certificates
+                            to a Listener, but this behavior is implementation-specific.
+                            \n References to a resource in different namespace are
+                            invalid UNLESS there is a ReferencePolicy in the target
+                            namespace that allows the certificate to be attached.
+                            If a ReferencePolicy does not allow this reference, the
+                            \"ResolvedRefs\" condition MUST be set to False for this
+                            listener with the \"InvalidCertificateRef\" reason. \n
+                            This field is required to have at least one element when
+                            the mode is set to \"Terminate\" (default) and is optional
+                            otherwise. \n CertificateRefs can reference to standard
+                            Kubernetes resources, i.e. Secret, or implementation-specific
+                            custom resources. \n Support: Core - A single reference
+                            to a Kubernetes Secret \n Support: Implementation-specific
+                            (More than one reference or other resource types)"
+                          items:
+                            description: "SecretObjectReference identifies an API
+                              object including its namespace, defaulting to Secret.
+                              \n The API object must be valid in the cluster; the
+                              Group and Kind must be registered in the cluster for
+                              this reference to be valid. \n References to objects
+                              with invalid Group and Kind are not valid, and must
+                              be rejected by the implementation, with appropriate
+                              Conditions set on the containing object."
+                            properties:
+                              group:
+                                default: ""
+                                description: Group is the group of the referent. For
+                                  example, "networking.k8s.io". When unspecified (empty
+                                  string), core API group is inferred.
+                                maxLength: 253
+                                pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                type: string
+                              kind:
+                                default: Secret
+                                description: Kind is kind of the referent. For example
+                                  "HTTPRoute" or "Service".
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                type: string
+                              name:
+                                description: Name is the name of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              namespace:
+                                description: "Namespace is the namespace of the backend.
+                                  When unspecified, the local namespace is inferred.
+                                  \n Note that when a namespace is specified, a ReferencePolicy
+                                  object is required in the referent namespace to
+                                  allow that namespace's owner to accept the reference.
+                                  See the ReferencePolicy documentation for details.
+                                  \n Support: Core"
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          maxItems: 64
+                          type: array
                        mode:
                          default: Terminate
                          description: "Mode defines the TLS behavior for the TLS
                            session initiated by the client. There are two possible
-                            modes: - Terminate: The TLS session between the downstream
+                            modes: \n - Terminate: The TLS session between the downstream
                            client   and the Gateway is terminated at the Gateway.
-                            This mode requires   certificateRef to be set. - Passthrough:
-                            The TLS session is NOT terminated by the Gateway. This
-                            \  implies that the Gateway can't decipher the TLS stream
-                            except for   the ClientHello message of the TLS protocol.
-                            \  CertificateRef field is ignored in this mode. \n Support:
-                            Core"
+                            This mode requires   certificateRefs to be set and contain
+                            at least one element. - Passthrough: The TLS session is
+                            NOT terminated by the Gateway. This   implies that the
+                            Gateway can't decipher the TLS stream except for   the
+                            ClientHello message of the TLS protocol.   CertificateRefs
+                            field is ignored in this mode. \n Support: Core"
                          enum:
                          - Terminate
                          - Passthrough
                          type: string
                        options:
                          additionalProperties:
+                            description: AnnotationValue is the value of an annotation
+                              in Gateway API. This is used for validation of maps
+                              such as TLS options. This roughly matches Kubernetes
+                              annotation validation, although the length validation
+                              in that case is based on the entire size of the annotations
+                              struct.
+                            maxLength: 4096
+                            minLength: 0
                            type: string
-                          description: "Options are a list of key/value pairs to give
-                            extended options to the provider. \n There variation among
-                            providers as to how ciphersuites are expressed. If there
-                            is a common subset for expressing ciphers then it will
-                            make sense to loft that as a core API construct. \n Support:
-                            Implementation-specific"
-                          type: object
-                        routeOverride:
-                          default:
-                            certificate: Deny
-                          description: "RouteOverride dictates if TLS settings can
-                            be configured via Routes or not. \n CertificateRef must
-                            be defined even if `routeOverride.certificate` is set
-                            to 'Allow' as it will be used as the default certificate
-                            for the listener. \n Support: Core"
-                          properties:
-                            certificate:
-                              default: Deny
-                              description: "Certificate dictates if TLS certificates
-                                can be configured via Routes. If set to 'Allow', a
-                                TLS certificate for a hostname defined in a Route
-                                takes precedence over the certificate defined in Gateway.
-                                \n Support: Core"
-                              enum:
-                              - Allow
-                              - Deny
-                              type: string
+                          description: "Options are a list of key/value pairs to enable
+                            extended TLS configuration for each implementation. For
+                            example, configuring the minimum TLS version or supported
+                            cipher suites. \n A set of common keys MAY be defined
+                            by the API in the future. To avoid any ambiguity, implementation-specific
+                            definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
+                            Un-prefixed names are reserved for key names defined by
+                            Gateway API. \n Support: Implementation-specific"
+                          maxProperties: 16
                          type: object
                      type: object
                  required:
+                  - name
                  - port
                  - protocol
-                  - routes
                  type: object
                maxItems: 64
                minItems: 1
                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
            required:
            - gatewayClassName
            - listeners
@@ -446,24 +446,25 @@ spec:
              - lastTransitionTime: "1970-01-01T00:00:00Z"
                message: Waiting for controller
                reason: NotReconciled
-                status: "False"
+                status: Unknown
                type: Scheduled
            description: Status defines the current state of Gateway.
            properties:
              addresses:
-                description: "Addresses lists the IP addresses that have actually
-                  been bound to the Gateway. These addresses may differ from the addresses
+                description: Addresses lists the IP addresses that have actually been
+                  bound to the Gateway. These addresses may differ from the addresses
                  in the Spec, e.g. if the Gateway automatically assigns an address
-                  from a reserved pool. \n These addresses should all be of type \"IPAddress\"."
+                  from a reserved pool.
                items:
                  description: GatewayAddress describes an address that can be bound
                    to a Gateway.
                  properties:
                    type:
                      default: IPAddress
-                      description: "Type of the address. \n Support: Extended"
+                      description: Type of the address.
                      enum:
                      - IPAddress
+                      - Hostname
                      - NamedAddress
                      type: string
                    value:
@@ -483,7 +484,7 @@ spec:
                - lastTransitionTime: "1970-01-01T00:00:00Z"
                  message: Waiting for controller
                  reason: NotReconciled
-                  status: "False"
+                  status: Unknown
                  type: Scheduled
                description: "Conditions describe the current conditions of the Gateway.
                  \n Implementations should prefer to express Gateway conditions using
@@ -569,6 +570,11 @@ spec:
                items:
                  description: ListenerStatus is the status associated with a Listener.
                  properties:
+                    attachedRoutes:
+                      description: AttachedRoutes represents the total number of Routes
+                        that have been successfully attached to this Listener.
+                      format: int32
+                      type: integer
                    conditions:
                      description: Conditions describe the current condition of this
                        listener.
@@ -648,34 +654,58 @@ spec:
                      x-kubernetes-list-map-keys:
                      - type
                      x-kubernetes-list-type: map
-                    hostname:
-                      description: Hostname is the Listener hostname value for which
-                        this message is reporting the status.
+                    name:
+                      description: Name is the name of the Listener that this status
+                        corresponds to.
                      maxLength: 253
                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                      type: string
-                    port:
-                      description: Port is the unique Listener port value for which
-                        this message is reporting the status.
-                      format: int32
-                      maximum: 65535
-                      minimum: 1
-                      type: integer
-                    protocol:
-                      description: Protocol is the Listener protocol value for which
-                        this message is reporting the status.
-                      type: string
+                    supportedKinds:
+                      description: "SupportedKinds is the list indicating the Kinds
+                        supported by this listener. This MUST represent the kinds
+                        an implementation supports for that Listener configuration.
+                        \n If kinds are specified in Spec that are not supported,
+                        they MUST NOT appear in this list and an implementation MUST
+                        set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
+                        reason. If both valid and invalid Route kinds are specified,
+                        the implementation MUST reference the valid Route kinds that
+                        have been specified."
+                      items:
+                        description: RouteGroupKind indicates the group and kind of
+                          a Route resource.
+                        properties:
+                          group:
+                            default: gateway.networking.k8s.io
+                            description: Group is the group of the Route.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            description: Kind is the kind of the Route.
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                        required:
+                        - kind
+                        type: object
+                      maxItems: 8
+                      type: array
                  required:
+                  - attachedRoutes
                  - conditions
-                  - port
-                  - protocol
+                  - name
+                  - supportedKinds
                  type: object
                maxItems: 64
                type: array
                x-kubernetes-list-map-keys:
-                - port
+                - name
                x-kubernetes-list-type: map
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml
@@ -0,0 +1,431 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
+  creationTimestamp: null
+  name: tcproutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TCPRoute
+    listKind: TCPRouteList
+    plural: tcproutes
+    singular: tcproute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: TCPRoute provides a way to route TCP requests. When combined
+          with a Gateway listener, it can be used to forward connections on the port
+          specified by the listener to a set of backends specified by the TCPRoute.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TCPRoute.
+            properties:
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged."
+                items:
+                  description: "ParentRef identifies an API object (usually a Gateway)
+                    that can be considered a parent of this resource (usually a route).
+                    The only kind of parent resource with \"Core\" support is Gateway.
+                    This API may be extended in the future to support additional kinds
+                    of parent resources, such as HTTPRoute. \n The API object must
+                    be valid in the cluster; the Group and Kind must be registered
+                    in the cluster for this reference to be valid. \n References to
+                    objects with invalid Group and Kind are not valid, and must be
+                    rejected by the implementation, with appropriate Conditions set
+                    on the containing object."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) Support: Custom (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified (or empty string), this refers to the local namespace
+                        of the Route. \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name
+                        \n Implementations MAY choose to support attaching Routes
+                        to other resources. If that is the case, they MUST clearly
+                        document how SectionName is interpreted. \n When unspecified
+                        (empty string), this will reference the entire resource. For
+                        the purpose of status, an attachment is considered successful
+                        if at least one section in the parent resource accepts it.
+                        For example, Gateway listeners can restrict which Routes can
+                        attach to them by Route kind, namespace, or hostname. If 1
+                        of 2 Gateway listeners accept attachment from the referencing
+                        Route, the Route MUST be considered successfully attached.
+                        If no Gateway listeners accept attachment from this Route,
+                        the Route MUST be considered detached from the Gateway. \n
+                        Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TCP matchers and actions.
+                items:
+                  description: TCPRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the underlying implementation MUST actively reject connection
+                        attempts to this backend. Connection rejections must respect
+                        weight; if an invalid backend is requested to have 80% of
+                        connections, then 80% of connections must be rejected instead.
+                        \n Support: Core for Kubernetes Service Support: Custom for
+                        any other resource \n Support for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace is specified, a ReferencePolicy object is required
+                          in the referent namespace to allow that namespace's owner
+                          to accept the reference. See the ReferencePolicy documentation
+                          for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "networking.k8s.io". When unspecified (empty string),
+                              core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: Kind is kind of the referent. For example
+                              "HTTPRoute" or "Service".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace is specified, a ReferencePolicy
+                              object is required in the referent namespace to allow
+                              that namespace's owner to accept the reference. See
+                              the ReferencePolicy documentation for details. \n Support:
+                              Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. For other resources,
+                              destination port might be derived from the referent
+                              resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TCPRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, type FooStatus struct{
+                          \    // Represents the observations of a foo's current state.
+                          \    // Known .status.conditions.type are: \"Available\",
+                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
+                          \    // +patchStrategy=merge     // +listType=map     //
+                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
+                          \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) Support: Custom (Other Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified (or empty string), this refers to the
+                            local namespace of the Route. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name \n Implementations MAY choose to support attaching
+                            Routes to other resources. If that is the case, they MUST
+                            clearly document how SectionName is interpreted. \n When
+                            unspecified (empty string), this will reference the entire
+                            resource. For the purpose of status, an attachment is
+                            considered successful if at least one section in the parent
+                            resource accepts it. For example, Gateway listeners can
+                            restrict which Routes can attach to them by Route kind,
+                            namespace, or hostname. If 1 of 2 Gateway listeners accept
+                            attachment from the referencing Route, the Route MUST
+                            be considered successfully attached. If no Gateway listeners
+                            accept attachment from this Route, the Route MUST be considered
+                            detached from the Gateway. \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml
@@ -0,0 +1,480 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
+  creationTimestamp: null
+  name: tlsroutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TLSRoute
+    listKind: TLSRouteList
+    plural: tlsroutes
+    singular: tlsroute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: "The TLSRoute resource is similar to TCPRoute, but can be configured
+          to match against TLS-specific metadata. This allows more flexibility in
+          matching streams for a given TLS listener. \n If you need to forward traffic
+          to a single target for a TLS listener, you could choose to use a TCPRoute
+          with a TLS listener."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TLSRoute.
+            properties:
+              hostnames:
+                description: "Hostnames defines a set of SNI names that should match
+                  against the SNI attribute of TLS ClientHello message in TLS handshake.
+                  This matches the RFC 1123 definition of a hostname with 2 notable
+                  exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
+                  2. A hostname may be prefixed with a wildcard label (`*.`). The
+                  wildcard    label must appear by itself as the first label. \n If
+                  a hostname is specified by both the Listener and TLSRoute, there
+                  must be at least one intersecting hostname for the TLSRoute to be
+                  attached to the Listener. For example: \n * A Listener with `test.example.com`
+                  as the hostname matches TLSRoutes   that have either not specified
+                  any hostnames, or have specified at   least one of `test.example.com`
+                  or `*.example.com`. * A Listener with `*.example.com` as the hostname
+                  matches TLSRoutes   that have either not specified any hostnames
+                  or have specified at least   one hostname that matches the Listener
+                  hostname. For example,   `test.example.com` and `*.example.com`
+                  would both match. On the other   hand, `example.com` and `test.example.net`
+                  would not match. \n If both the Listener and TLSRoute have specified
+                  hostnames, any TLSRoute hostnames that do not match the Listener
+                  hostname MUST be ignored. For example, if a Listener specified `*.example.com`,
+                  and the TLSRoute specified `test.example.com` and `test.example.net`,
+                  `test.example.net` must not be considered for a match. \n If both
+                  the Listener and TLSRoute have specified hostnames, and none match
+                  with the criteria above, then the TLSRoute is not accepted. The
+                  implementation must raise an 'Accepted' Condition with a status
+                  of `False` in the corresponding RouteParentStatus. \n Support: Core"
+                items:
+                  description: "Hostname is the fully qualified domain name of a network
+                    host. This matches the RFC 1123 definition of a hostname with
+                    2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+                    may be prefixed with a wildcard label (`*.`). The wildcard    label
+                    must appear by itself as the first label. \n Hostname can be \"precise\"
+                    which is a domain name without the terminating dot of a network
+                    host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+                    name prefixed with a single wildcard label (e.g. `*.example.com`).
+                    \n Note that as per RFC1035 and RFC1123, a *label* must consist
+                    of lower case alphanumeric characters or '-', and must start and
+                    end with an alphanumeric character. No other punctuation is allowed."
+                  maxLength: 253
+                  minLength: 1
+                  pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                  type: string
+                maxItems: 16
+                type: array
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged."
+                items:
+                  description: "ParentRef identifies an API object (usually a Gateway)
+                    that can be considered a parent of this resource (usually a route).
+                    The only kind of parent resource with \"Core\" support is Gateway.
+                    This API may be extended in the future to support additional kinds
+                    of parent resources, such as HTTPRoute. \n The API object must
+                    be valid in the cluster; the Group and Kind must be registered
+                    in the cluster for this reference to be valid. \n References to
+                    objects with invalid Group and Kind are not valid, and must be
+                    rejected by the implementation, with appropriate Conditions set
+                    on the containing object."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) Support: Custom (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified (or empty string), this refers to the local namespace
+                        of the Route. \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name
+                        \n Implementations MAY choose to support attaching Routes
+                        to other resources. If that is the case, they MUST clearly
+                        document how SectionName is interpreted. \n When unspecified
+                        (empty string), this will reference the entire resource. For
+                        the purpose of status, an attachment is considered successful
+                        if at least one section in the parent resource accepts it.
+                        For example, Gateway listeners can restrict which Routes can
+                        attach to them by Route kind, namespace, or hostname. If 1
+                        of 2 Gateway listeners accept attachment from the referencing
+                        Route, the Route MUST be considered successfully attached.
+                        If no Gateway listeners accept attachment from this Route,
+                        the Route MUST be considered detached from the Gateway. \n
+                        Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TLS matchers and actions.
+                items:
+                  description: TLSRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the rule performs no forwarding; if no filters are specified
+                        that would result in a response being sent, the underlying
+                        implementation must actively reject request attempts to this
+                        backend, by rejecting the connection or returning a 503 status
+                        code. Request rejections must respect weight; if an invalid
+                        backend is requested to have 80% of requests, then 80% of
+                        requests must be rejected instead. \n Support: Core for Kubernetes
+                        Service Support: Custom for any other resource \n Support
+                        for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace is specified, a ReferencePolicy object is required
+                          in the referent namespace to allow that namespace's owner
+                          to accept the reference. See the ReferencePolicy documentation
+                          for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "networking.k8s.io". When unspecified (empty string),
+                              core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: Kind is kind of the referent. For example
+                              "HTTPRoute" or "Service".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace is specified, a ReferencePolicy
+                              object is required in the referent namespace to allow
+                              that namespace's owner to accept the reference. See
+                              the ReferencePolicy documentation for details. \n Support:
+                              Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. For other resources,
+                              destination port might be derived from the referent
+                              resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TLSRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, type FooStatus struct{
+                          \    // Represents the observations of a foo's current state.
+                          \    // Known .status.conditions.type are: \"Available\",
+                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
+                          \    // +patchStrategy=merge     // +listType=map     //
+                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
+                          \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) Support: Custom (Other Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified (or empty string), this refers to the
+                            local namespace of the Route. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name \n Implementations MAY choose to support attaching
+                            Routes to other resources. If that is the case, they MUST
+                            clearly document how SectionName is interpreted. \n When
+                            unspecified (empty string), this will reference the entire
+                            resource. For the purpose of status, an attachment is
+                            considered successful if at least one section in the parent
+                            resource accepts it. For example, Gateway listeners can
+                            restrict which Routes can attach to them by Route kind,
+                            namespace, or hostname. If 1 of 2 Gateway listeners accept
+                            attachment from the referencing Route, the Route MUST
+                            be considered successfully attached. If no Gateway listeners
+                            accept attachment from this Route, the Route MUST be considered
+                            detached from the Gateway. \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -4,6 +4,13 @@ kind: ClusterRole
 metadata:
  name: gateway-role
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - ""
    resources:
@@ -15,7 +22,7 @@ rules:
      - list
      - watch
  - apiGroups:
-      - networking.x-k8s.io
+      - gateway.networking.k8s.io
    resources:
      - gatewayclasses
      - gateways
@@ -27,7 +34,7 @@ rules:
      - list
      - watch
  - apiGroups:
-      - networking.x-k8s.io
+      - gateway.networking.k8s.io
    resources:
      - gatewayclasses/status
      - gateways/status
@@ -42,7 +49,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: gateway-controller
-
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
@@ -1,124 +1,116 @@
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: GatewayClass
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway-class
 spec:
-  controller: traefik.io/gateway-controller
+  controllerName: traefik.io/gateway-controller

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway
  namespace: default
 spec:
  gatewayClassName: my-gateway-class
-  listeners:  # Use GatewayClass defaults for listener definition.
-    - protocol: HTTP
+  listeners: # Use GatewayClass defaults for listener definition.
+    - name: http
+      protocol: HTTP
      port: 80
-      routes:
-        kind: HTTPRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: foo
-     - protocol: HTTPS
-       port: 443
-       tls:
-         certificateRef:
-           group: "core"
-           kind: "Secret"
-           name: "mysecret"
-       routes:
-         kind: HTTPRoute
-         selector:
-           matchLabels:
-             app: foo
-    - protocol: TCP
+
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: mysecret
+
+    - name: tcp
+      protocol: TCP
      port: 9000
-      routes:
-        kind: TCPRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: footcp
-    - protocol: TLS
+      allowedRoutes:
+        kinds:
+          - kind: TCPRoute
+
+    - name: tls
+      protocol: TLS
      port: 9443
      hostname: example.com
      tls:
-        certificateRef:
-          group: "core"
-          kind: "Secret"
-          name: "mysecret"
-      routes:
-        kind: TLSRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: footls
+        - certificateRefs:
+            - kind: Secret
+              name: mysecret

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: HTTPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: http-app-1
+  name: http-app
  namespace: default
-  labels:
-    app: foo
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  hostnames:
-    - "foo.com"
+    - foo.com
+
  rules:
    - matches:
        - path:
            type: Exact
            value: /bar
-      forwardTo:
-        - serviceName: whoami
+
+      backendRefs:
+        - name: whoami
          port: 80
          weight: 1
+
    - matches:
        - path:
-            type: Prefix
+            type: PathPrefix
            value: /foo
-      forwardTo:
-        - backendRef:
-            group: traefik.containo.us
-            kind: TraefikService
-            name: myservice@file
+
+      backendRefs:
+        - group: traefik.containo.us
+          kind: TraefikService
+          name: myservice@file
          weight: 1
          port: 80

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TCPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: tcp-app-1
+  name: tcp-app
  namespace: default
-  labels:
-    app: footcp
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  rules:
-     - forwardTo:
-        - serviceName: whoamitcp
+    - backendRefs:
+        - name: whoamitcp
          port: 9000
          weight: 1

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TLSRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: tls-app-1
+  name: tls-app
  namespace: default
-  labels:
-    app: footls
+
 spec:
+  parentRefs:
+    - name: my-gateway
+      sectionName: tls
+
  rules:
-    - forwardTo:
-        - serviceName: whoamitcp
+    - backendRefs:
+        - name: whoamitcp
          port: 9000
          weight: 1
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
@@ -1,48 +1,50 @@
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: GatewayClass
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway-class
+
 spec:
-  controller: traefik.io/gateway-controller
+  controllerName: traefik.io/gateway-controller

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway
+
 spec:
  gatewayClassName: my-gateway-class
  listeners:
-    - protocol: HTTPS
+    - name: https
+      protocol: HTTPS
      port: 443
      tls:
-        certificateRef:
-          group: "core"
-          kind: "Secret"
-          name: "mysecret"
-      routes:
-        kind: HTTPRoute
-        selector:
-          matchLabels:
-            app: foo
+        certificateRefs:
+          - kind: Secret
+            name: mysecret
+
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: HTTPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: http-app-1
+  name: http-app
  namespace: default
-  labels:
-    app: foo
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  hostnames:
-    - "whoami"
+    - whoami
+
  rules:
    - matches:
        - path:
            type: Exact
            value: /foo
-      forwardTo:
-        - serviceName: whoami
+
+      backendRefs:
+        - name: whoami
          port: 80
          weight: 1
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -5,8 +5,8 @@ metadata:
  name: traefik-controller

 ---
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
  name: traefik

@@ -15,24 +15,27 @@ spec:
  selector:
    matchLabels:
      app: traefik-lb
+
  template:
    metadata:
      labels:
        app: traefik-lb
+
    spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik/traefik:latest
-          imagePullPolicy: IfNotPresent
+          image: traefik:v2.7
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
            - --experimental.kubernetesgateway
            - --providers.kubernetesgateway
+
          ports:
            - name: web
              containerPort: 80
+
            - name: websecure
              containerPort: 443

@@ -41,16 +44,19 @@ apiVersion: v1
 kind: Service
 metadata:
  name: traefik
+
 spec:
+  type: LoadBalancer
  selector:
    app: traefik-lb
+
  ports:
    - protocol: TCP
      port: 80
      targetPort: web
      name: web
+
    - protocol: TCP
      port: 443
      targetPort: websecure
      name: websecure
-  type: LoadBalancer
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway.md
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway.md
@@ -6,11 +6,11 @@ Dynamic configuration with Kubernetes Gateway provider.
 ## Definitions

 ```yaml
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_tcproutes.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_tlsroutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml"
 ```

 ## Resources
--- a/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
@@ -1,6 +1,6 @@
 ---
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
  name: whoami

@@ -9,10 +9,12 @@ spec:
  selector:
    matchLabels:
      app: whoami
+
  template:
    metadata:
      labels:
        app: whoami
+
    spec:
      containers:
        - name: whoami
@@ -25,8 +27,9 @@ metadata:
  name: whoami

 spec:
+  selector:
+    app: whoami
+
  ports:
    - protocol: TCP
      port: 80
-  selector:
-    app: whoami
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -15,6 +15,7 @@
 | `traefik/http/middlewares/Middleware04/circuitBreaker/expression` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/1` | `foobar` |
+| `traefik/http/middlewares/Middleware05/compress/minResponseBodyBytes` | `42` |
 | `traefik/http/middlewares/Middleware06/contentType/autoDetect` | `true` |
 | `traefik/http/middlewares/Middleware07/digestAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/realm` | `foobar` |
@@ -106,6 +107,7 @@
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/domainComponent` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/locality` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/organization` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/organizationalUnit` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/province` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/serialNumber` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/pem` | `true` |
@@ -226,12 +228,16 @@
 | `traefik/http/services/Service03/weighted/sticky/cookie/name` | `foobar` |
 | `traefik/http/services/Service03/weighted/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service03/weighted/sticky/cookie/secure` | `true` |
+| `traefik/http/services/Service04/failover/fallback` | `foobar` |
+| `traefik/http/services/Service04/failover/healthCheck` | `` |
+| `traefik/http/services/Service04/failover/service` | `foobar` |
 | `traefik/tcp/middlewares/Middleware00/ipWhiteList/sourceRange/0` | `foobar` |
 | `traefik/tcp/middlewares/Middleware00/ipWhiteList/sourceRange/1` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/middlewares/0` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/middlewares/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/priority` | `42` |
 | `traefik/tcp/routers/TCPRouter0/rule` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/service` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/tls/certResolver` | `foobar` |
@@ -247,6 +253,7 @@
 | `traefik/tcp/routers/TCPRouter1/entryPoints/1` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/middlewares/0` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/middlewares/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/priority` | `42` |
 | `traefik/tcp/routers/TCPRouter1/rule` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/service` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/tls/certResolver` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@@ -13,6 +13,7 @@
 "traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
 "traefik.http.middlewares.middleware05.compress": "true",
 "traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
+"traefik.http.middlewares.middleware05.compress.minresponsebodybytes": "42",
 "traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
 "traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
@@ -90,6 +91,7 @@
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organizationalunit": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.pem": "true",
@@ -161,6 +163,7 @@
 "traefik.http.services.service01.loadbalancer.serverstransport": "foobar",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.rule": "foobar",
+"traefik.tcp.routers.tcprouter0.priority": "42",
 "traefik.tcp.routers.tcprouter0.service": "foobar",
 "traefik.tcp.routers.tcprouter0.tls": "true",
 "traefik.tcp.routers.tcprouter0.tls.certresolver": "foobar",
@@ -172,6 +175,7 @@
 "traefik.tcp.routers.tcprouter0.tls.passthrough": "true",
 "traefik.tcp.routers.tcprouter1.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.rule": "foobar",
+"traefik.tcp.routers.tcprouter1.priority": "42",
 "traefik.tcp.routers.tcprouter1.service": "foobar",
 "traefik.tcp.routers.tcprouter1.tls": "true",
 "traefik.tcp.routers.tcprouter1.tls.certresolver": "foobar",
--- a/docs/content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml
@@ -1,971 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
-  creationTimestamp: null
-  name: httproutes.networking.x-k8s.io
-spec:
-  group: networking.x-k8s.io
-  names:
-    categories:
-    - gateway-api
-    kind: HTTPRoute
-    listKind: HTTPRouteList
-    plural: httproutes
-    singular: httproute
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.hostnames
-      name: Hostnames
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: HTTPRoute is the Schema for the HTTPRoute resource.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec defines the desired state of HTTPRoute.
-            properties:
-              gateways:
-                default:
-                  allow: SameNamespace
-                description: Gateways defines which Gateways can use this Route.
-                properties:
-                  allow:
-                    default: SameNamespace
-                    description: 'Allow indicates which Gateways will be allowed to
-                      use this route. Possible values are: * All: Gateways in any
-                      namespace can use this route. * FromList: Only Gateways specified
-                      in GatewayRefs may use this route. * SameNamespace: Only Gateways
-                      in the same namespace may use this route.'
-                    enum:
-                    - All
-                    - FromList
-                    - SameNamespace
-                    type: string
-                  gatewayRefs:
-                    description: GatewayRefs must be specified when Allow is set to
-                      "FromList". In that case, only Gateways referenced in this list
-                      will be allowed to use this route. This field is ignored for
-                      other values of "Allow".
-                    items:
-                      description: GatewayReference identifies a Gateway in a specified
-                        namespace.
-                      properties:
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                    type: array
-                type: object
-              hostnames:
-                description: "Hostnames defines a set of hostname that should match
-                  against the HTTP Host header to select a HTTPRoute to process the
-                  request. Hostname is the fully qualified domain name of a network
-                  host, as defined by RFC 3986. Note the following deviations from
-                  the \"host\" part of the URI as defined in the RFC: \n 1. IPs are
-                  not allowed. 2. The `:` delimiter is not respected because ports
-                  are not allowed. \n Incoming requests are matched against the hostnames
-                  before the HTTPRoute rules. If no hostname is specified, traffic
-                  is routed based on the HTTPRouteRules. \n Hostname can be \"precise\"
-                  which is a domain name without the terminating dot of a network
-                  host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
-                  name prefixed with a single wildcard label (e.g. `*.example.com`).
-                  The wildcard character `*` must appear by itself as the first DNS
-                  label and matches only a single label. You cannot have a wildcard
-                  label by itself (e.g. Host == `*`). Requests will be matched against
-                  the Host field in the following order: \n 1. If Host is precise,
-                  the request matches this rule if    the HTTP Host header is equal
-                  to Host. 2. If Host is a wildcard, then the request matches this
-                  rule if    the HTTP Host header is to equal to the suffix    (removing
-                  the first label) of the wildcard rule. \n Support: Core"
-                items:
-                  description: Hostname is used to specify a hostname that should
-                    be matched.
-                  maxLength: 253
-                  minLength: 1
-                  type: string
-                maxItems: 16
-                type: array
-              rules:
-                default:
-                - matches:
-                  - path:
-                      type: Prefix
-                      value: /
-                description: Rules are a list of HTTP matchers, filters and actions.
-                items:
-                  description: HTTPRouteRule defines semantics for matching an HTTP
-                    request based on conditions, optionally executing additional processing
-                    steps, and forwarding the request to an API object.
-                  properties:
-                    filters:
-                      description: "Filters define the filters that are applied to
-                        requests that match this rule. \n The effects of ordering
-                        of multiple behaviors are currently unspecified. This can
-                        change in the future based on feedback during the alpha stage.
-                        \n Conformance-levels at this level are defined based on the
-                        type of filter: \n - ALL core filters MUST be supported by
-                        all implementations. - Implementers are encouraged to support
-                        extended filters. - Implementation-specific custom filters
-                        have no API guarantees across   implementations. \n Specifying
-                        a core filter multiple times has unspecified or custom conformance.
-                        \n Support: Core"
-                      items:
-                        description: 'HTTPRouteFilter defines additional processing
-                          steps that must be completed during the request or response
-                          lifecycle. HTTPRouteFilters are meant as an extension point
-                          to express additional processing that may be done in Gateway
-                          implementations. Some examples include request or response
-                          modification, implementing authentication strategies, rate-limiting,
-                          and traffic shaping. API guarantee/conformance is defined
-                          based on the type of the filter. TODO(hbagdi): re-render
-                          CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298
-                          - https://github.com/kubernetes-sigs/controller-tools/issues/461'
-                        properties:
-                          extensionRef:
-                            description: "ExtensionRef is an optional, implementation-specific
-                              extension to the \"filter\" behavior.  For example,
-                              resource \"myroutefilter\" in group \"networking.acme.io\").
-                              ExtensionRef MUST NOT be used for core and extended
-                              filters. \n Support: Implementation-specific"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          requestHeaderModifier:
-                            description: "RequestHeaderModifier defines a schema for
-                              a filter that modifies request headers. \n Support:
-                              Core"
-                            properties:
-                              add:
-                                additionalProperties:
-                                  type: string
-                                description: "Add adds the given header (name, value)
-                                  to the request before the action. It appends to
-                                  any existing values associated with the header name.
-                                  \n Input:   GET /foo HTTP/1.1   my-header: foo \n
-                                  Config:   add: {\"my-header\": \"bar\"} \n Output:
-                                  \  GET /foo HTTP/1.1   my-header: foo   my-header:
-                                  bar \n Support: Extended"
-                                type: object
-                              remove:
-                                description: "Remove the given header(s) from the
-                                  HTTP request before the action. The value of RemoveHeader
-                                  is a list of HTTP header names. Note that the header
-                                  names are case-insensitive [RFC-2616 4.2]. \n Input:
-                                  \  GET /foo HTTP/1.1   my-header1: foo   my-header2:
-                                  bar   my-header3: baz \n Config:   remove: [\"my-header1\",
-                                  \"my-header3\"] \n Output:   GET /foo HTTP/1.1   my-header2:
-                                  bar \n Support: Extended"
-                                items:
-                                  type: string
-                                maxItems: 16
-                                type: array
-                              set:
-                                additionalProperties:
-                                  type: string
-                                description: "Set overwrites the request with the
-                                  given header (name, value) before the action. \n
-                                  Input:   GET /foo HTTP/1.1   my-header: foo \n Config:
-                                  \  set: {\"my-header\": \"bar\"} \n Output:   GET
-                                  /foo HTTP/1.1   my-header: bar \n Support: Extended"
-                                type: object
-                            type: object
-                          requestMirror:
-                            description: "RequestMirror defines a schema for a filter
-                              that mirrors requests. \n Support: Extended"
-                            properties:
-                              backendRef:
-                                description: "BackendRef is a local object reference
-                                  to mirror matched requests to. If both BackendRef
-                                  and ServiceName are specified, ServiceName will
-                                  be given precedence. \n If the referent cannot be
-                                  found, the rule is not included in the route. The
-                                  controller should raise the \"ResolvedRefs\" condition
-                                  on the Gateway with the \"DegradedRoutes\" reason.
-                                  The gateway status for this route should be updated
-                                  with a condition that describes the error more specifically.
-                                  \n Support: Custom"
-                                properties:
-                                  group:
-                                    description: Group is the group of the referent.
-                                    maxLength: 253
-                                    minLength: 1
-                                    type: string
-                                  kind:
-                                    description: Kind is kind of the referent.
-                                    maxLength: 253
-                                    minLength: 1
-                                    type: string
-                                  name:
-                                    description: Name is the name of the referent.
-                                    maxLength: 253
-                                    minLength: 1
-                                    type: string
-                                required:
-                                - group
-                                - kind
-                                - name
-                                type: object
-                              port:
-                                description: "Port specifies the destination port
-                                  number to use for the backend referenced by the
-                                  ServiceName or BackendRef field. \n If unspecified,
-                                  the destination port in the request is used when
-                                  forwarding to a backendRef or serviceName."
-                                format: int32
-                                maximum: 65535
-                                minimum: 1
-                                type: integer
-                              serviceName:
-                                description: "ServiceName refers to the name of the
-                                  Service to mirror matched requests to. When specified,
-                                  this takes the place of BackendRef. If both BackendRef
-                                  and ServiceName are specified, ServiceName will
-                                  be given precedence. \n If the referent cannot be
-                                  found, the rule is not included in the route. The
-                                  controller should raise the \"ResolvedRefs\" condition
-                                  on the Gateway with the \"DegradedRoutes\" reason.
-                                  The gateway status for this route should be updated
-                                  with a condition that describes the error more specifically.
-                                  \n Support: Core"
-                                maxLength: 253
-                                type: string
-                            type: object
-                          type:
-                            description: "Type identifies the type of filter to apply.
-                              As with other API fields, types are classified into
-                              three conformance levels: \n - Core: Filter types and
-                              their corresponding configuration defined by   \"Support:
-                              Core\" in this package, e.g. \"RequestHeaderModifier\".
-                              All   implementations must support core filters. \n
-                              - Extended: Filter types and their corresponding configuration
-                              defined by   \"Support: Extended\" in this package,
-                              e.g. \"RequestMirror\". Implementers   are encouraged
-                              to support extended filters. \n - Custom: Filters that
-                              are defined and supported by specific vendors.   In
-                              the future, filters showing convergence in behavior
-                              across multiple   implementations will be considered
-                              for inclusion in extended or core   conformance levels.
-                              Filter-specific configuration for such filters   is
-                              specified using the ExtensionRef field. `Type` should
-                              be set to   \"ExtensionRef\" for custom filters. \n
-                              Implementers are encouraged to define custom implementation
-                              types to extend the core API with implementation-specific
-                              behavior."
-                            enum:
-                            - RequestHeaderModifier
-                            - RequestMirror
-                            - ExtensionRef
-                            type: string
-                        required:
-                        - type
-                        type: object
-                      maxItems: 16
-                      type: array
-                    forwardTo:
-                      description: ForwardTo defines the backend(s) where matching
-                        requests should be sent. If unspecified, the rule performs
-                        no forwarding. If unspecified and no filters are specified
-                        that would result in a response being sent, a 503 error code
-                        is returned.
-                      items:
-                        description: HTTPRouteForwardTo defines how a HTTPRoute should
-                          forward a request.
-                        properties:
-                          backendRef:
-                            description: "BackendRef is a reference to a backend to
-                              forward matched requests to. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              route must be dropped from the Gateway. The controller
-                              should raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          filters:
-                            description: "Filters defined at this-level should be
-                              executed if and only if the request is being forwarded
-                              to the backend defined here. \n Support: Custom (For
-                              broader support of filters, use the Filters field in
-                              HTTPRouteRule.)"
-                            items:
-                              description: 'HTTPRouteFilter defines additional processing
-                                steps that must be completed during the request or
-                                response lifecycle. HTTPRouteFilters are meant as
-                                an extension point to express additional processing
-                                that may be done in Gateway implementations. Some
-                                examples include request or response modification,
-                                implementing authentication strategies, rate-limiting,
-                                and traffic shaping. API guarantee/conformance is
-                                defined based on the type of the filter. TODO(hbagdi):
-                                re-render CRDs once controller-tools supports union
-                                tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298
-                                - https://github.com/kubernetes-sigs/controller-tools/issues/461'
-                              properties:
-                                extensionRef:
-                                  description: "ExtensionRef is an optional, implementation-specific
-                                    extension to the \"filter\" behavior.  For example,
-                                    resource \"myroutefilter\" in group \"networking.acme.io\").
-                                    ExtensionRef MUST NOT be used for core and extended
-                                    filters. \n Support: Implementation-specific"
-                                  properties:
-                                    group:
-                                      description: Group is the group of the referent.
-                                      maxLength: 253
-                                      minLength: 1
-                                      type: string
-                                    kind:
-                                      description: Kind is kind of the referent.
-                                      maxLength: 253
-                                      minLength: 1
-                                      type: string
-                                    name:
-                                      description: Name is the name of the referent.
-                                      maxLength: 253
-                                      minLength: 1
-                                      type: string
-                                  required:
-                                  - group
-                                  - kind
-                                  - name
-                                  type: object
-                                requestHeaderModifier:
-                                  description: "RequestHeaderModifier defines a schema
-                                    for a filter that modifies request headers. \n
-                                    Support: Core"
-                                  properties:
-                                    add:
-                                      additionalProperties:
-                                        type: string
-                                      description: "Add adds the given header (name,
-                                        value) to the request before the action. It
-                                        appends to any existing values associated
-                                        with the header name. \n Input:   GET /foo
-                                        HTTP/1.1   my-header: foo \n Config:   add:
-                                        {\"my-header\": \"bar\"} \n Output:   GET
-                                        /foo HTTP/1.1   my-header: foo   my-header:
-                                        bar \n Support: Extended"
-                                      type: object
-                                    remove:
-                                      description: "Remove the given header(s) from
-                                        the HTTP request before the action. The value
-                                        of RemoveHeader is a list of HTTP header names.
-                                        Note that the header names are case-insensitive
-                                        [RFC-2616 4.2]. \n Input:   GET /foo HTTP/1.1
-                                        \  my-header1: foo   my-header2: bar   my-header3:
-                                        baz \n Config:   remove: [\"my-header1\",
-                                        \"my-header3\"] \n Output:   GET /foo HTTP/1.1
-                                        \  my-header2: bar \n Support: Extended"
-                                      items:
-                                        type: string
-                                      maxItems: 16
-                                      type: array
-                                    set:
-                                      additionalProperties:
-                                        type: string
-                                      description: "Set overwrites the request with
-                                        the given header (name, value) before the
-                                        action. \n Input:   GET /foo HTTP/1.1   my-header:
-                                        foo \n Config:   set: {\"my-header\": \"bar\"}
-                                        \n Output:   GET /foo HTTP/1.1   my-header:
-                                        bar \n Support: Extended"
-                                      type: object
-                                  type: object
-                                requestMirror:
-                                  description: "RequestMirror defines a schema for
-                                    a filter that mirrors requests. \n Support: Extended"
-                                  properties:
-                                    backendRef:
-                                      description: "BackendRef is a local object reference
-                                        to mirror matched requests to. If both BackendRef
-                                        and ServiceName are specified, ServiceName
-                                        will be given precedence. \n If the referent
-                                        cannot be found, the rule is not included
-                                        in the route. The controller should raise
-                                        the \"ResolvedRefs\" condition on the Gateway
-                                        with the \"DegradedRoutes\" reason. The gateway
-                                        status for this route should be updated with
-                                        a condition that describes the error more
-                                        specifically. \n Support: Custom"
-                                      properties:
-                                        group:
-                                          description: Group is the group of the referent.
-                                          maxLength: 253
-                                          minLength: 1
-                                          type: string
-                                        kind:
-                                          description: Kind is kind of the referent.
-                                          maxLength: 253
-                                          minLength: 1
-                                          type: string
-                                        name:
-                                          description: Name is the name of the referent.
-                                          maxLength: 253
-                                          minLength: 1
-                                          type: string
-                                      required:
-                                      - group
-                                      - kind
-                                      - name
-                                      type: object
-                                    port:
-                                      description: "Port specifies the destination
-                                        port number to use for the backend referenced
-                                        by the ServiceName or BackendRef field. \n
-                                        If unspecified, the destination port in the
-                                        request is used when forwarding to a backendRef
-                                        or serviceName."
-                                      format: int32
-                                      maximum: 65535
-                                      minimum: 1
-                                      type: integer
-                                    serviceName:
-                                      description: "ServiceName refers to the name
-                                        of the Service to mirror matched requests
-                                        to. When specified, this takes the place of
-                                        BackendRef. If both BackendRef and ServiceName
-                                        are specified, ServiceName will be given precedence.
-                                        \n If the referent cannot be found, the rule
-                                        is not included in the route. The controller
-                                        should raise the \"ResolvedRefs\" condition
-                                        on the Gateway with the \"DegradedRoutes\"
-                                        reason. The gateway status for this route
-                                        should be updated with a condition that describes
-                                        the error more specifically. \n Support: Core"
-                                      maxLength: 253
-                                      type: string
-                                  type: object
-                                type:
-                                  description: "Type identifies the type of filter
-                                    to apply. As with other API fields, types are
-                                    classified into three conformance levels: \n -
-                                    Core: Filter types and their corresponding configuration
-                                    defined by   \"Support: Core\" in this package,
-                                    e.g. \"RequestHeaderModifier\". All   implementations
-                                    must support core filters. \n - Extended: Filter
-                                    types and their corresponding configuration defined
-                                    by   \"Support: Extended\" in this package, e.g.
-                                    \"RequestMirror\". Implementers   are encouraged
-                                    to support extended filters. \n - Custom: Filters
-                                    that are defined and supported by specific vendors.
-                                    \  In the future, filters showing convergence
-                                    in behavior across multiple   implementations
-                                    will be considered for inclusion in extended or
-                                    core   conformance levels. Filter-specific configuration
-                                    for such filters   is specified using the ExtensionRef
-                                    field. `Type` should be set to   \"ExtensionRef\"
-                                    for custom filters. \n Implementers are encouraged
-                                    to define custom implementation types to extend
-                                    the core API with implementation-specific behavior."
-                                  enum:
-                                  - RequestHeaderModifier
-                                  - RequestMirror
-                                  - ExtensionRef
-                                  type: string
-                              required:
-                              - type
-                              type: object
-                            maxItems: 16
-                            type: array
-                          port:
-                            description: "Port specifies the destination port number
-                              to use for the backend referenced by the ServiceName
-                              or BackendRef field. If unspecified, the destination
-                              port in the request is used when forwarding to a backendRef
-                              or serviceName. \n Support: Core"
-                            format: int32
-                            maximum: 65535
-                            minimum: 1
-                            type: integer
-                          serviceName:
-                            description: "ServiceName refers to the name of the Service
-                              to forward matched requests to. When specified, this
-                              takes the place of BackendRef. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              route must be dropped from the Gateway. The controller
-                              should raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n The protocol
-                              to use should be specified with the AppProtocol field
-                              on Service resources. This field was introduced in Kubernetes
-                              1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol`
-                              annotation on the BackendPolicy resource may be used
-                              to define the protocol. If the AppProtocol field is
-                              available, this annotation should not be used. The AppProtocol
-                              field, when populated, takes precedence over the annotation
-                              in the BackendPolicy resource. For custom backends,
-                              it is encouraged to add a semantically-equivalent field
-                              in the Custom Resource Definition. \n Support: Core"
-                            maxLength: 253
-                            type: string
-                          weight:
-                            default: 1
-                            description: "Weight specifies the proportion of HTTP
-                              requests forwarded to the backend referenced by the
-                              ServiceName or BackendRef field. This is computed as
-                              weight/(sum of all weights in this ForwardTo list).
-                              For non-zero values, there may be some epsilon from
-                              the exact proportion defined here depending on the precision
-                              an implementation supports. Weight is not a percentage
-                              and the sum of weights does not need to equal 100. \n
-                              If only one backend is specified and it has a weight
-                              greater than 0, 100% of the traffic is forwarded to
-                              that backend. If weight is set to 0, no traffic should
-                              be forwarded for this entry. If unspecified, weight
-                              defaults to 1. \n Support: Core"
-                            format: int32
-                            maximum: 1000000
-                            minimum: 0
-                            type: integer
-                        type: object
-                      maxItems: 16
-                      type: array
-                    matches:
-                      default:
-                      - path:
-                          type: Prefix
-                          value: /
-                      description: "Matches define conditions used for matching the
-                        rule against incoming HTTP requests. Each match is independent,
-                        i.e. this rule will be matched if **any** one of the matches
-                        is satisfied. \n For example, take the following matches configuration:
-                        \n ``` matches: - path:     value: \"/foo\"   headers:     values:
-                        \      version: \"2\" - path:     value: \"/v2/foo\" ``` \n
-                        For a request to match against this rule, a request should
-                        satisfy EITHER of the two conditions: \n - path prefixed with
-                        `/foo` AND contains the header `version: \"2\"` - path prefix
-                        of `/v2/foo` \n See the documentation for HTTPRouteMatch on
-                        how to specify multiple match conditions that should be ANDed
-                        together. \n If no matches are specified, the default is a
-                        prefix path match on \"/\", which has the effect of matching
-                        every HTTP request. \n Each client request MUST map to a maximum
-                        of one route rule. If a request matches multiple rules, matching
-                        precedence MUST be determined in order of the following criteria,
-                        continuing on ties: \n * The longest matching hostname. *
-                        The longest matching path. * The largest number of header
-                        matches. \n If ties still exist across multiple Routes, matching
-                        precedence MUST be determined in order of the following criteria,
-                        continuing on ties: \n * The oldest Route based on creation
-                        timestamp. For example, a Route with   a creation timestamp
-                        of \"2020-09-08 01:02:03\" is given precedence over   a Route
-                        with a creation timestamp of \"2020-09-08 01:02:04\". * The
-                        Route appearing first in alphabetical order by   \"<namespace>/<name>\".
-                        For example, foo/bar is given precedence over   foo/baz. \n
-                        If ties still exist within the Route that has been given precedence,
-                        matching precedence MUST be granted to the first matching
-                        rule meeting the above criteria."
-                      items:
-                        description: "HTTPRouteMatch defines the predicate used to
-                          match requests to a given action. Multiple match types are
-                          ANDed together, i.e. the match will evaluate to true only
-                          if all conditions are satisfied. \n For example, the match
-                          below will match a HTTP request only if its path starts
-                          with `/foo` AND it contains the `version: \"1\"` header:
-                          \n ``` match:   path:     value: \"/foo\"   headers:     values:
-                          \      version: \"1\" ```"
-                        properties:
-                          extensionRef:
-                            description: "ExtensionRef is an optional, implementation-specific
-                              extension to the \"match\" behavior. For example, resource
-                              \"myroutematcher\" in group \"networking.acme.io\".
-                              If the referent cannot be found, the rule is not included
-                              in the route. The controller should raise the \"ResolvedRefs\"
-                              condition on the Gateway with the \"DegradedRoutes\"
-                              reason. The gateway status for this route should be
-                              updated with a condition that describes the error more
-                              specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          headers:
-                            description: Headers specifies a HTTP request header matcher.
-                            properties:
-                              type:
-                                default: Exact
-                                description: "Type specifies how to match against
-                                  the value of the header. \n Support: Core (Exact)
-                                  \n Support: Custom (RegularExpression, ImplementationSpecific)
-                                  \n Since RegularExpression PathType has custom conformance,
-                                  implementations can support POSIX, PCRE or any other
-                                  dialects of regular expressions. Please read the
-                                  implementation's documentation to determine the
-                                  supported dialect. \n HTTP Header name matching
-                                  MUST be case-insensitive (RFC 2616 - section 4.2)."
-                                enum:
-                                - Exact
-                                - RegularExpression
-                                - ImplementationSpecific
-                                type: string
-                              values:
-                                additionalProperties:
-                                  type: string
-                                description: "Values is a map of HTTP Headers to be
-                                  matched. It MUST contain at least one entry. \n
-                                  The HTTP header field name to match is the map key,
-                                  and the value of the HTTP header is the map value.
-                                  HTTP header field name matching MUST be case-insensitive.
-                                  \n Multiple match values are ANDed together, meaning,
-                                  a request must match all the specified headers to
-                                  select the route."
-                                type: object
-                            required:
-                            - values
-                            type: object
-                          path:
-                            default:
-                              type: Prefix
-                              value: /
-                            description: Path specifies a HTTP request path matcher.
-                              If this field is not specified, a default prefix match
-                              on the "/" path is provided.
-                            properties:
-                              type:
-                                default: Prefix
-                                description: "Type specifies how to match against
-                                  the path Value. \n Support: Core (Exact, Prefix)
-                                  \n Support: Custom (RegularExpression, ImplementationSpecific)
-                                  \n Since RegularExpression PathType has custom conformance,
-                                  implementations can support POSIX, PCRE or any other
-                                  dialects of regular expressions. Please read the
-                                  implementation's documentation to determine the
-                                  supported dialect."
-                                enum:
-                                - Exact
-                                - Prefix
-                                - RegularExpression
-                                - ImplementationSpecific
-                                type: string
-                              value:
-                                default: /
-                                description: Value of the HTTP path to match against.
-                                type: string
-                            type: object
-                          queryParams:
-                            description: QueryParams specifies a HTTP query parameter
-                              matcher.
-                            properties:
-                              type:
-                                default: Exact
-                                description: "Type specifies how to match against
-                                  the value of the query parameter. \n Support: Extended
-                                  (Exact) \n Support: Custom (RegularExpression, ImplementationSpecific)
-                                  \n Since RegularExpression QueryParamMatchType has
-                                  custom conformance, implementations can support
-                                  POSIX, PCRE or any other dialects of regular expressions.
-                                  Please read the implementation's documentation to
-                                  determine the supported dialect."
-                                enum:
-                                - Exact
-                                - RegularExpression
-                                - ImplementationSpecific
-                                type: string
-                              values:
-                                additionalProperties:
-                                  type: string
-                                description: "Values is a map of HTTP query parameters
-                                  to be matched. It MUST contain at least one entry.
-                                  \n The query parameter name to match is the map
-                                  key, and the value of the query parameter is the
-                                  map value. \n Multiple match values are ANDed together,
-                                  meaning, a request must match all the specified
-                                  query parameters to select the route. \n HTTP query
-                                  parameter matching MUST be case-sensitive for both
-                                  keys and values. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
-                                  \n Note that the query parameter key MUST always
-                                  be an exact match by string comparison."
-                                type: object
-                            required:
-                            - values
-                            type: object
-                        type: object
-                      maxItems: 8
-                      type: array
-                  type: object
-                maxItems: 16
-                type: array
-              tls:
-                description: "TLS defines the TLS certificate to use for Hostnames
-                  defined in this Route. This configuration only takes effect if the
-                  AllowRouteOverride field is set to true in the associated Gateway
-                  resource. \n Collisions can happen if multiple HTTPRoutes define
-                  a TLS certificate for the same hostname. In such a case, conflict
-                  resolution guiding principles apply, specifically, if hostnames
-                  are same and two different certificates are specified then the certificate
-                  in the oldest resource wins. \n Please note that HTTP Route-selection
-                  takes place after the TLS Handshake (ClientHello). Due to this,
-                  TLS certificate defined here will take precedence even if the request
-                  has the potential to match multiple routes (in case multiple HTTPRoutes
-                  share the same hostname). \n Support: Core"
-                properties:
-                  certificateRef:
-                    description: "CertificateRef is a reference to a Kubernetes object
-                      that contains a TLS certificate and private key. This certificate
-                      is used to establish a TLS handshake for requests that match
-                      the hostname of the associated HTTPRoute. The referenced object
-                      MUST reside in the same namespace as HTTPRoute. \n This field
-                      is required when the TLS configuration mode of the associated
-                      Gateway listener is set to \"Passthrough\". \n CertificateRef
-                      can reference a standard Kubernetes resource, i.e. Secret, or
-                      an implementation-specific custom resource. \n Support: Core
-                      (Kubernetes Secrets) \n Support: Implementation-specific (Other
-                      resource types)"
-                    properties:
-                      group:
-                        description: Group is the group of the referent.
-                        maxLength: 253
-                        minLength: 1
-                        type: string
-                      kind:
-                        description: Kind is kind of the referent.
-                        maxLength: 253
-                        minLength: 1
-                        type: string
-                      name:
-                        description: Name is the name of the referent.
-                        maxLength: 253
-                        minLength: 1
-                        type: string
-                    required:
-                    - group
-                    - kind
-                    - name
-                    type: object
-                required:
-                - certificateRef
-                type: object
-            type: object
-          status:
-            description: Status defines the current state of HTTPRoute.
-            properties:
-              gateways:
-                description: "Gateways is a list of Gateways that are associated with
-                  the route, and the status of the route with respect to each Gateway.
-                  When a Gateway selects this route, the controller that manages the
-                  Gateway must add an entry to this list when the controller first
-                  sees the route and should update the entry as appropriate when the
-                  route is modified. \n A maximum of 100 Gateways will be represented
-                  in this list. If this list is full, there may be additional Gateways
-                  using this Route that are not included in the list. An empty list
-                  means the route has not been admitted by any Gateway."
-                items:
-                  description: RouteGatewayStatus describes the status of a route
-                    with respect to an associated Gateway.
-                  properties:
-                    conditions:
-                      description: Conditions describes the status of the route with
-                        respect to the Gateway. The "Admitted" condition must always
-                        be specified by controllers to indicate whether the route
-                        has been admitted or rejected by the Gateway, and why. Note
-                        that the route's availability is also subject to the Gateway's
-                        own status conditions and listener status.
-                      items:
-                        description: "Condition contains details for one aspect of
-                          the current state of this API Resource. --- This struct
-                          is intended for direct use as an array at the field path
-                          .status.conditions.  For example, type FooStatus struct{
-                          \    // Represents the observations of a foo's current state.
-                          \    // Known .status.conditions.type are: \"Available\",
-                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
-                          \    // +patchStrategy=merge     // +listType=map     //
-                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
-                          \n     // other fields }"
-                        properties:
-                          lastTransitionTime:
-                            description: lastTransitionTime is the last time the condition
-                              transitioned from one status to another. This should
-                              be when the underlying condition changed.  If that is
-                              not known, then using the time when the API field changed
-                              is acceptable.
-                            format: date-time
-                            type: string
-                          message:
-                            description: message is a human readable message indicating
-                              details about the transition. This may be an empty string.
-                            maxLength: 32768
-                            type: string
-                          observedGeneration:
-                            description: observedGeneration represents the .metadata.generation
-                              that the condition was set based upon. For instance,
-                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
-                              is 9, the condition is out of date with respect to the
-                              current state of the instance.
-                            format: int64
-                            minimum: 0
-                            type: integer
-                          reason:
-                            description: reason contains a programmatic identifier
-                              indicating the reason for the condition's last transition.
-                              Producers of specific condition types may define expected
-                              values and meanings for this field, and whether the
-                              values are considered a guaranteed API. The value should
-                              be a CamelCase string. This field may not be empty.
-                            maxLength: 1024
-                            minLength: 1
-                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                            type: string
-                          status:
-                            description: status of the condition, one of True, False,
-                              Unknown.
-                            enum:
-                            - "True"
-                            - "False"
-                            - Unknown
-                            type: string
-                          type:
-                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                              --- Many .condition.type values are consistent across
-                              resources like Available, but because arbitrary conditions
-                              can be useful (see .node.status.conditions), the ability
-                              to deconflict is important. The regex it matches is
-                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                            maxLength: 316
-                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                            type: string
-                        required:
-                        - lastTransitionTime
-                        - message
-                        - reason
-                        - status
-                        - type
-                        type: object
-                      maxItems: 8
-                      type: array
-                      x-kubernetes-list-map-keys:
-                      - type
-                      x-kubernetes-list-type: map
-                    gatewayRef:
-                      description: GatewayRef is a reference to a Gateway object that
-                        is associated with the route.
-                      properties:
-                        controller:
-                          description: "Controller is a domain/path string that indicates
-                            the controller implementing the Gateway. This corresponds
-                            with the controller field on GatewayClass. \n Example:
-                            \"acme.io/gateway-controller\". \n The format of this
-                            field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
-                            valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
-                          maxLength: 253
-                          type: string
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                  required:
-                  - gatewayRef
-                  type: object
-                maxItems: 100
-                type: array
-            required:
-            - gateways
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/networking.x-k8s.io_tcproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/networking.x-k8s.io_tcproutes.yaml
@@ -1,401 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
-  creationTimestamp: null
-  name: tcproutes.networking.x-k8s.io
-spec:
-  group: networking.x-k8s.io
-  names:
-    categories:
-    - gateway-api
-    kind: TCPRoute
-    listKind: TCPRouteList
-    plural: tcproutes
-    singular: tcproute
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: TCPRoute is the Schema for the TCPRoute resource.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec defines the desired state of TCPRoute.
-            properties:
-              gateways:
-                default:
-                  allow: SameNamespace
-                description: Gateways defines which Gateways can use this Route.
-                properties:
-                  allow:
-                    default: SameNamespace
-                    description: 'Allow indicates which Gateways will be allowed to
-                      use this route. Possible values are: * All: Gateways in any
-                      namespace can use this route. * FromList: Only Gateways specified
-                      in GatewayRefs may use this route. * SameNamespace: Only Gateways
-                      in the same namespace may use this route.'
-                    enum:
-                    - All
-                    - FromList
-                    - SameNamespace
-                    type: string
-                  gatewayRefs:
-                    description: GatewayRefs must be specified when Allow is set to
-                      "FromList". In that case, only Gateways referenced in this list
-                      will be allowed to use this route. This field is ignored for
-                      other values of "Allow".
-                    items:
-                      description: GatewayReference identifies a Gateway in a specified
-                        namespace.
-                      properties:
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                    type: array
-                type: object
-              rules:
-                description: Rules are a list of TCP matchers and actions.
-                items:
-                  description: TCPRouteRule is the configuration for a given rule.
-                  properties:
-                    forwardTo:
-                      description: ForwardTo defines the backend(s) where matching
-                        requests should be sent.
-                      items:
-                        description: RouteForwardTo defines how a Route should forward
-                          a request.
-                        properties:
-                          backendRef:
-                            description: "BackendRef is a reference to a backend to
-                              forward matched requests to. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              rule is not included in the route. The controller should
-                              raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          port:
-                            description: "Port specifies the destination port number
-                              to use for the backend referenced by the ServiceName
-                              or BackendRef field. If unspecified, the destination
-                              port in the request is used when forwarding to a backendRef
-                              or serviceName. \n Support: Core"
-                            format: int32
-                            maximum: 65535
-                            minimum: 1
-                            type: integer
-                          serviceName:
-                            description: "ServiceName refers to the name of the Service
-                              to forward matched requests to. When specified, this
-                              takes the place of BackendRef. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              rule is not included in the route. The controller should
-                              raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n The protocol
-                              to use is defined using AppProtocol field (introduced
-                              in Kubernetes 1.18) in the Service resource. In the
-                              absence of the AppProtocol field a `networking.x-k8s.io/app-protocol`
-                              annotation on the BackendPolicy resource may be used
-                              to define the protocol. If the AppProtocol field is
-                              available, this annotation should not be used. The AppProtocol
-                              field, when populated, takes precedence over the annotation
-                              in the BackendPolicy resource. For custom backends,
-                              it is encouraged to add a semantically-equivalent field
-                              in the Custom Resource Definition. \n Support: Core"
-                            maxLength: 253
-                            type: string
-                          weight:
-                            default: 1
-                            description: "Weight specifies the proportion of HTTP
-                              requests forwarded to the backend referenced by the
-                              ServiceName or BackendRef field. This is computed as
-                              weight/(sum of all weights in this ForwardTo list).
-                              For non-zero values, there may be some epsilon from
-                              the exact proportion defined here depending on the precision
-                              an implementation supports. Weight is not a percentage
-                              and the sum of weights does not need to equal 100. \n
-                              If only one backend is specified and it has a weight
-                              greater than 0, 100% of the traffic is forwarded to
-                              that backend. If weight is set to 0, no traffic should
-                              be forwarded for this entry. If unspecified, weight
-                              defaults to 1. \n Support: Extended"
-                            format: int32
-                            maximum: 1000000
-                            minimum: 0
-                            type: integer
-                        type: object
-                      maxItems: 16
-                      minItems: 1
-                      type: array
-                    matches:
-                      description: "Matches define conditions used for matching the
-                        rule against incoming TCP connections. Each match is independent,
-                        i.e. this rule will be matched if **any** one of the matches
-                        is satisfied. If unspecified (i.e. empty), this Rule will
-                        match all requests for the associated Listener. \n Each client
-                        request MUST map to a maximum of one route rule. If a request
-                        matches multiple rules, matching precedence MUST be determined
-                        in order of the following criteria, continuing on ties: \n
-                        * The most specific match specified by ExtensionRef. Each
-                        implementation   that supports ExtensionRef may have different
-                        ways of determining the   specificity of the referenced extension.
-                        \n If ties still exist across multiple Routes, matching precedence
-                        MUST be determined in order of the following criteria, continuing
-                        on ties: \n * The oldest Route based on creation timestamp.
-                        For example, a Route with   a creation timestamp of \"2020-09-08
-                        01:02:03\" is given precedence over   a Route with a creation
-                        timestamp of \"2020-09-08 01:02:04\". * The Route appearing
-                        first in alphabetical order by   \"<namespace>/<name>\". For
-                        example, foo/bar is given precedence over   foo/baz. \n If
-                        ties still exist within the Route that has been given precedence,
-                        matching precedence MUST be granted to the first matching
-                        rule meeting the above criteria."
-                      items:
-                        description: TCPRouteMatch defines the predicate used to match
-                          connections to a given action.
-                        properties:
-                          extensionRef:
-                            description: "ExtensionRef is an optional, implementation-specific
-                              extension to the \"match\" behavior.  For example, resource
-                              \"mytcproutematcher\" in group \"networking.acme.io\".
-                              If the referent cannot be found, the rule is not included
-                              in the route. The controller should raise the \"ResolvedRefs\"
-                              condition on the Gateway with the \"DegradedRoutes\"
-                              reason. The gateway status for this route should be
-                              updated with a condition that describes the error more
-                              specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                        type: object
-                      maxItems: 8
-                      type: array
-                  required:
-                  - forwardTo
-                  type: object
-                maxItems: 16
-                minItems: 1
-                type: array
-            required:
-            - rules
-            type: object
-          status:
-            description: Status defines the current state of TCPRoute.
-            properties:
-              gateways:
-                description: "Gateways is a list of Gateways that are associated with
-                  the route, and the status of the route with respect to each Gateway.
-                  When a Gateway selects this route, the controller that manages the
-                  Gateway must add an entry to this list when the controller first
-                  sees the route and should update the entry as appropriate when the
-                  route is modified. \n A maximum of 100 Gateways will be represented
-                  in this list. If this list is full, there may be additional Gateways
-                  using this Route that are not included in the list. An empty list
-                  means the route has not been admitted by any Gateway."
-                items:
-                  description: RouteGatewayStatus describes the status of a route
-                    with respect to an associated Gateway.
-                  properties:
-                    conditions:
-                      description: Conditions describes the status of the route with
-                        respect to the Gateway. The "Admitted" condition must always
-                        be specified by controllers to indicate whether the route
-                        has been admitted or rejected by the Gateway, and why. Note
-                        that the route's availability is also subject to the Gateway's
-                        own status conditions and listener status.
-                      items:
-                        description: "Condition contains details for one aspect of
-                          the current state of this API Resource. --- This struct
-                          is intended for direct use as an array at the field path
-                          .status.conditions.  For example, type FooStatus struct{
-                          \    // Represents the observations of a foo's current state.
-                          \    // Known .status.conditions.type are: \"Available\",
-                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
-                          \    // +patchStrategy=merge     // +listType=map     //
-                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
-                          \n     // other fields }"
-                        properties:
-                          lastTransitionTime:
-                            description: lastTransitionTime is the last time the condition
-                              transitioned from one status to another. This should
-                              be when the underlying condition changed.  If that is
-                              not known, then using the time when the API field changed
-                              is acceptable.
-                            format: date-time
-                            type: string
-                          message:
-                            description: message is a human readable message indicating
-                              details about the transition. This may be an empty string.
-                            maxLength: 32768
-                            type: string
-                          observedGeneration:
-                            description: observedGeneration represents the .metadata.generation
-                              that the condition was set based upon. For instance,
-                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
-                              is 9, the condition is out of date with respect to the
-                              current state of the instance.
-                            format: int64
-                            minimum: 0
-                            type: integer
-                          reason:
-                            description: reason contains a programmatic identifier
-                              indicating the reason for the condition's last transition.
-                              Producers of specific condition types may define expected
-                              values and meanings for this field, and whether the
-                              values are considered a guaranteed API. The value should
-                              be a CamelCase string. This field may not be empty.
-                            maxLength: 1024
-                            minLength: 1
-                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                            type: string
-                          status:
-                            description: status of the condition, one of True, False,
-                              Unknown.
-                            enum:
-                            - "True"
-                            - "False"
-                            - Unknown
-                            type: string
-                          type:
-                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                              --- Many .condition.type values are consistent across
-                              resources like Available, but because arbitrary conditions
-                              can be useful (see .node.status.conditions), the ability
-                              to deconflict is important. The regex it matches is
-                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                            maxLength: 316
-                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                            type: string
-                        required:
-                        - lastTransitionTime
-                        - message
-                        - reason
-                        - status
-                        - type
-                        type: object
-                      maxItems: 8
-                      type: array
-                      x-kubernetes-list-map-keys:
-                      - type
-                      x-kubernetes-list-type: map
-                    gatewayRef:
-                      description: GatewayRef is a reference to a Gateway object that
-                        is associated with the route.
-                      properties:
-                        controller:
-                          description: "Controller is a domain/path string that indicates
-                            the controller implementing the Gateway. This corresponds
-                            with the controller field on GatewayClass. \n Example:
-                            \"acme.io/gateway-controller\". \n The format of this
-                            field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
-                            valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
-                          maxLength: 253
-                          type: string
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                  required:
-                  - gatewayRef
-                  type: object
-                maxItems: 100
-                type: array
-            required:
-            - gateways
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/networking.x-k8s.io_tlsroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/networking.x-k8s.io_tlsroutes.yaml
@@ -1,437 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
-  creationTimestamp: null
-  name: tlsroutes.networking.x-k8s.io
-spec:
-  group: networking.x-k8s.io
-  names:
-    categories:
-    - gateway-api
-    kind: TLSRoute
-    listKind: TLSRouteList
-    plural: tlsroutes
-    singular: tlsroute
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: "The TLSRoute resource is similar to TCPRoute, but can be configured
-          to match against TLS-specific metadata. This allows more flexibility in
-          matching streams for a given TLS listener. \n If you need to forward traffic
-          to a single target for a TLS listener, you could choose to use a TCPRoute
-          with a TLS listener."
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec defines the desired state of TLSRoute.
-            properties:
-              gateways:
-                default:
-                  allow: SameNamespace
-                description: Gateways defines which Gateways can use this Route.
-                properties:
-                  allow:
-                    default: SameNamespace
-                    description: 'Allow indicates which Gateways will be allowed to
-                      use this route. Possible values are: * All: Gateways in any
-                      namespace can use this route. * FromList: Only Gateways specified
-                      in GatewayRefs may use this route. * SameNamespace: Only Gateways
-                      in the same namespace may use this route.'
-                    enum:
-                    - All
-                    - FromList
-                    - SameNamespace
-                    type: string
-                  gatewayRefs:
-                    description: GatewayRefs must be specified when Allow is set to
-                      "FromList". In that case, only Gateways referenced in this list
-                      will be allowed to use this route. This field is ignored for
-                      other values of "Allow".
-                    items:
-                      description: GatewayReference identifies a Gateway in a specified
-                        namespace.
-                      properties:
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                    type: array
-                type: object
-              rules:
-                description: Rules are a list of TLS matchers and actions.
-                items:
-                  description: TLSRouteRule is the configuration for a given rule.
-                  properties:
-                    forwardTo:
-                      description: ForwardTo defines the backend(s) where matching
-                        requests should be sent.
-                      items:
-                        description: RouteForwardTo defines how a Route should forward
-                          a request.
-                        properties:
-                          backendRef:
-                            description: "BackendRef is a reference to a backend to
-                              forward matched requests to. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              rule is not included in the route. The controller should
-                              raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          port:
-                            description: "Port specifies the destination port number
-                              to use for the backend referenced by the ServiceName
-                              or BackendRef field. If unspecified, the destination
-                              port in the request is used when forwarding to a backendRef
-                              or serviceName. \n Support: Core"
-                            format: int32
-                            maximum: 65535
-                            minimum: 1
-                            type: integer
-                          serviceName:
-                            description: "ServiceName refers to the name of the Service
-                              to forward matched requests to. When specified, this
-                              takes the place of BackendRef. If both BackendRef and
-                              ServiceName are specified, ServiceName will be given
-                              precedence. \n If the referent cannot be found, the
-                              rule is not included in the route. The controller should
-                              raise the \"ResolvedRefs\" condition on the Gateway
-                              with the \"DegradedRoutes\" reason. The gateway status
-                              for this route should be updated with a condition that
-                              describes the error more specifically. \n The protocol
-                              to use is defined using AppProtocol field (introduced
-                              in Kubernetes 1.18) in the Service resource. In the
-                              absence of the AppProtocol field a `networking.x-k8s.io/app-protocol`
-                              annotation on the BackendPolicy resource may be used
-                              to define the protocol. If the AppProtocol field is
-                              available, this annotation should not be used. The AppProtocol
-                              field, when populated, takes precedence over the annotation
-                              in the BackendPolicy resource. For custom backends,
-                              it is encouraged to add a semantically-equivalent field
-                              in the Custom Resource Definition. \n Support: Core"
-                            maxLength: 253
-                            type: string
-                          weight:
-                            default: 1
-                            description: "Weight specifies the proportion of HTTP
-                              requests forwarded to the backend referenced by the
-                              ServiceName or BackendRef field. This is computed as
-                              weight/(sum of all weights in this ForwardTo list).
-                              For non-zero values, there may be some epsilon from
-                              the exact proportion defined here depending on the precision
-                              an implementation supports. Weight is not a percentage
-                              and the sum of weights does not need to equal 100. \n
-                              If only one backend is specified and it has a weight
-                              greater than 0, 100% of the traffic is forwarded to
-                              that backend. If weight is set to 0, no traffic should
-                              be forwarded for this entry. If unspecified, weight
-                              defaults to 1. \n Support: Extended"
-                            format: int32
-                            maximum: 1000000
-                            minimum: 0
-                            type: integer
-                        type: object
-                      maxItems: 16
-                      minItems: 1
-                      type: array
-                    matches:
-                      description: "Matches define conditions used for matching the
-                        rule against incoming TLS connections. Each match is independent,
-                        i.e. this rule will be matched if **any** one of the matches
-                        is satisfied. If unspecified (i.e. empty), this Rule will
-                        match all requests for the associated Listener. \n Each client
-                        request MUST map to a maximum of one route rule. If a request
-                        matches multiple rules, matching precedence MUST be determined
-                        in order of the following criteria, continuing on ties: \n
-                        * The longest matching SNI. * The longest matching precise
-                        SNI (without a wildcard). This means that   \"b.example.com\"
-                        should be given precedence over \"*.example.com\". * The most
-                        specific match specified by ExtensionRef. Each implementation
-                        \  that supports ExtensionRef may have different ways of determining
-                        the   specificity of the referenced extension. \n If ties
-                        still exist across multiple Routes, matching precedence MUST
-                        be determined in order of the following criteria, continuing
-                        on ties: \n * The oldest Route based on creation timestamp.
-                        For example, a Route with   a creation timestamp of \"2020-09-08
-                        01:02:03\" is given precedence over   a Route with a creation
-                        timestamp of \"2020-09-08 01:02:04\". * The Route appearing
-                        first in alphabetical order by   \"<namespace>/<name>\". For
-                        example, foo/bar is given precedence over   foo/baz. \n If
-                        ties still exist within the Route that has been given precedence,
-                        matching precedence MUST be granted to the first matching
-                        rule meeting the above criteria."
-                      items:
-                        description: TLSRouteMatch defines the predicate used to match
-                          connections to a given action.
-                        properties:
-                          extensionRef:
-                            description: "ExtensionRef is an optional, implementation-specific
-                              extension to the \"match\" behavior.  For example, resource
-                              \"mytlsroutematcher\" in group \"networking.acme.io\".
-                              If the referent cannot be found, the rule is not included
-                              in the route. The controller should raise the \"ResolvedRefs\"
-                              condition on the Gateway with the \"DegradedRoutes\"
-                              reason. The gateway status for this route should be
-                              updated with a condition that describes the error more
-                              specifically. \n Support: Custom"
-                            properties:
-                              group:
-                                description: Group is the group of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              kind:
-                                description: Kind is kind of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                              name:
-                                description: Name is the name of the referent.
-                                maxLength: 253
-                                minLength: 1
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - name
-                            type: object
-                          snis:
-                            description: "SNIs defines a set of SNI names that should
-                              match against the SNI attribute of TLS ClientHello message
-                              in TLS handshake. \n SNI can be \"precise\" which is
-                              a domain name without the terminating dot of a network
-                              host (e.g. \"foo.example.com\") or \"wildcard\", which
-                              is a domain name prefixed with a single wildcard label
-                              (e.g. `*.example.com`). The wildcard character `*` must
-                              appear by itself as the first DNS label and matches
-                              only a single label. You cannot have a wildcard label
-                              by itself (e.g. Host == `*`). \n Requests will be matched
-                              against the Host field in the following order: \n 1.
-                              If SNI is precise, the request matches this rule if
-                              the SNI in    ClientHello is equal to one of the defined
-                              SNIs. 2. If SNI is a wildcard, then the request matches
-                              this rule if the    SNI is to equal to the suffix (removing
-                              the first label) of the    wildcard rule. 3. If SNIs
-                              is unspecified, all requests associated with the gateway
-                              TLS    listener will match. This can be used to define
-                              a default backend    for a TLS listener. \n Support:
-                              Core"
-                            items:
-                              description: Hostname is used to specify a hostname
-                                that should be matched.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            maxItems: 16
-                            type: array
-                        type: object
-                      maxItems: 8
-                      type: array
-                  required:
-                  - forwardTo
-                  type: object
-                maxItems: 16
-                minItems: 1
-                type: array
-            required:
-            - rules
-            type: object
-          status:
-            description: Status defines the current state of TLSRoute.
-            properties:
-              gateways:
-                description: "Gateways is a list of Gateways that are associated with
-                  the route, and the status of the route with respect to each Gateway.
-                  When a Gateway selects this route, the controller that manages the
-                  Gateway must add an entry to this list when the controller first
-                  sees the route and should update the entry as appropriate when the
-                  route is modified. \n A maximum of 100 Gateways will be represented
-                  in this list. If this list is full, there may be additional Gateways
-                  using this Route that are not included in the list. An empty list
-                  means the route has not been admitted by any Gateway."
-                items:
-                  description: RouteGatewayStatus describes the status of a route
-                    with respect to an associated Gateway.
-                  properties:
-                    conditions:
-                      description: Conditions describes the status of the route with
-                        respect to the Gateway. The "Admitted" condition must always
-                        be specified by controllers to indicate whether the route
-                        has been admitted or rejected by the Gateway, and why. Note
-                        that the route's availability is also subject to the Gateway's
-                        own status conditions and listener status.
-                      items:
-                        description: "Condition contains details for one aspect of
-                          the current state of this API Resource. --- This struct
-                          is intended for direct use as an array at the field path
-                          .status.conditions.  For example, type FooStatus struct{
-                          \    // Represents the observations of a foo's current state.
-                          \    // Known .status.conditions.type are: \"Available\",
-                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
-                          \    // +patchStrategy=merge     // +listType=map     //
-                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
-                          \n     // other fields }"
-                        properties:
-                          lastTransitionTime:
-                            description: lastTransitionTime is the last time the condition
-                              transitioned from one status to another. This should
-                              be when the underlying condition changed.  If that is
-                              not known, then using the time when the API field changed
-                              is acceptable.
-                            format: date-time
-                            type: string
-                          message:
-                            description: message is a human readable message indicating
-                              details about the transition. This may be an empty string.
-                            maxLength: 32768
-                            type: string
-                          observedGeneration:
-                            description: observedGeneration represents the .metadata.generation
-                              that the condition was set based upon. For instance,
-                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
-                              is 9, the condition is out of date with respect to the
-                              current state of the instance.
-                            format: int64
-                            minimum: 0
-                            type: integer
-                          reason:
-                            description: reason contains a programmatic identifier
-                              indicating the reason for the condition's last transition.
-                              Producers of specific condition types may define expected
-                              values and meanings for this field, and whether the
-                              values are considered a guaranteed API. The value should
-                              be a CamelCase string. This field may not be empty.
-                            maxLength: 1024
-                            minLength: 1
-                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                            type: string
-                          status:
-                            description: status of the condition, one of True, False,
-                              Unknown.
-                            enum:
-                            - "True"
-                            - "False"
-                            - Unknown
-                            type: string
-                          type:
-                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                              --- Many .condition.type values are consistent across
-                              resources like Available, but because arbitrary conditions
-                              can be useful (see .node.status.conditions), the ability
-                              to deconflict is important. The regex it matches is
-                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                            maxLength: 316
-                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                            type: string
-                        required:
-                        - lastTransitionTime
-                        - message
-                        - reason
-                        - status
-                        - type
-                        type: object
-                      maxItems: 8
-                      type: array
-                      x-kubernetes-list-map-keys:
-                      - type
-                      x-kubernetes-list-type: map
-                    gatewayRef:
-                      description: GatewayRef is a reference to a Gateway object that
-                        is associated with the route.
-                      properties:
-                        controller:
-                          description: "Controller is a domain/path string that indicates
-                            the controller implementing the Gateway. This corresponds
-                            with the controller field on GatewayClass. \n Example:
-                            \"acme.io/gateway-controller\". \n The format of this
-                            field is DOMAIN \"/\" PATH, where DOMAIN and PATH are
-                            valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
-                          maxLength: 253
-                          type: string
-                        name:
-                          description: Name is the name of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        namespace:
-                          description: Namespace is the namespace of the referent.
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                      required:
-                      - name
-                      - namespace
-                      type: object
-                  required:
-                  - gatewayRef
-                  type: object
-                maxItems: 100
-                type: array
-            required:
-            - gateways
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
@@ -62,6 +62,8 @@ spec:
                        - name
                        type: object
                      type: array
+                    priority:
+                      type: integer
                    services:
                      items:
                        description: ServiceTCP defines an upstream to proxy traffic.
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@@ -101,6 +101,8 @@ spec:
                    items:
                      type: string
                    type: array
+                  minResponseBodyBytes:
+                    type: integer
                type: object
              contentType:
                description: ContentType middleware - or rather its unique `autoDetect`
@@ -398,8 +400,9 @@ spec:
                      info configuration.
                    properties:
                      issuer:
-                        description: TLSClientCertificateDNInfo holds the client TLS
-                          certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
+                        description: TLSClientCertificateIssuerDNInfo holds the client
+                          TLS certificate distinguished name info configuration. cf
+                          https://tools.ietf.org/html/rfc3739
                        properties:
                          commonName:
                            type: boolean
@@ -425,8 +428,9 @@ spec:
                      serialNumber:
                        type: boolean
                      subject:
-                        description: TLSClientCertificateDNInfo holds the client TLS
-                          certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
+                        description: TLSClientCertificateSubjectDNInfo holds the client
+                          TLS certificate distinguished name info configuration. cf
+                          https://tools.ietf.org/html/rfc3739
                        properties:
                          commonName:
                            type: boolean
@@ -438,6 +442,8 @@ spec:
                            type: boolean
                          organization:
                            type: boolean
+                          organizationalUnit:
+                            type: boolean
                          province:
                            type: boolean
                          serialNumber:
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
@@ -36,6 +36,13 @@ spec:
          spec:
            description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.
            properties:
+              inFlightConn:
+                description: TCPInFlightConn holds the TCP in flight connection configuration.
+                properties:
+                  amount:
+                    format: int64
+                    type: integer
+                type: object
              ipWhiteList:
                description: TCPIPWhiteList holds the TCP ip white list configuration.
                properties:
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
@@ -52,23 +52,40 @@ spec:
                    anyOf:
                    - type: integer
                    - type: string
-                    description: The amount of time to wait until a connection to
-                      a backend server can be established. If zero, no timeout exists.
+                    description: DialTimeout is the amount of time to wait until a
+                      connection to a backend server can be established. If zero,
+                      no timeout exists.
                    x-kubernetes-int-or-string: true
                  idleConnTimeout:
                    anyOf:
                    - type: integer
                    - type: string
-                    description: The maximum period for which an idle HTTP keep-alive
-                      connection will remain open before closing itself.
+                    description: IdleConnTimeout is the maximum period for which an
+                      idle HTTP keep-alive connection will remain open before closing
+                      itself.
+                    x-kubernetes-int-or-string: true
+                  pingTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: PingTimeout is the timeout after which the HTTP/2
+                      connection will be closed if a response to ping is not received.
+                    x-kubernetes-int-or-string: true
+                  readIdleTimeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: ReadIdleTimeout is the timeout after which a health
+                      check using ping frame will be carried out if no frame is received
+                      on the HTTP/2 connection. If zero, no health check is performed.
                    x-kubernetes-int-or-string: true
                  responseHeaderTimeout:
                    anyOf:
                    - type: integer
                    - type: string
-                    description: The amount of time to wait for a server's response
-                      headers after fully writing the request (including its body,
-                      if any). If zero, no timeout exists.
+                    description: ResponseHeaderTimeout is the amount of time to wait
+                      for a server's response headers after fully writing the request
+                      (including its body, if any). If zero, no timeout exists.
                    x-kubernetes-int-or-string: true
                type: object
              insecureSkipVerify:
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -54,6 +54,9 @@ Certificates resolvers configuration. (Default: ```false```)
 `--certificatesresolvers.<name>.acme.caserver`:  
 CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)

+`--certificatesresolvers.<name>.acme.certificatesduration`:  
+Certificates' duration in hours. (Default: ```2160```)
+
 `--certificatesresolvers.<name>.acme.dnschallenge`:  
 Activate DNS-01 Challenge. (Default: ```false```)

@@ -102,9 +105,6 @@ Entry points definition. (Default: ```false```)
 `--entrypoints.<name>.address`:  
 Entry point address.

-`--entrypoints.<name>.enablehttp3`:  
-Enable HTTP3. (Default: ```false```)
-
 `--entrypoints.<name>.forwardedheaders.insecure`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -147,6 +147,12 @@ Subject alternative names.
 `--entrypoints.<name>.http.tls.options`:  
 Default TLS options for the routers linked to the entry point.

+`--entrypoints.<name>.http3`:  
+HTTP3 configuration. (Default: ```false```)
+
+`--entrypoints.<name>.http3.advertisedport`:  
+UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
+
 `--entrypoints.<name>.proxyprotocol`:  
 Proxy-Protocol configuration. (Default: ```false```)

@@ -177,6 +183,9 @@ Timeout defines how long to wait on an idle session before releasing the related
 `--experimental.http3`:  
 Enable HTTP3. (Default: ```false```)

+`--experimental.hub`:  
+Enable the Traefik Hub provider. (Default: ```false```)
+
 `--experimental.kubernetesgateway`:  
 Allow the Kubernetes gateway api provider usage. (Default: ```false```)

@@ -210,6 +219,24 @@ resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
 `--hostresolver.resolvdepth`:  
 The maximal depth of DNS recursive resolving (Default: ```5```)

+`--hub`:  
+Traefik Hub configuration. (Default: ```false```)
+
+`--hub.entrypoint`:  
+Entrypoint that exposes data for Traefik Hub. It should be a dedicated one, and not used by any router. (Default: ```traefik-hub```)
+
+`--hub.tls.ca`:  
+The certificate authority authenticates the Traefik Hub Agent certificate.
+
+`--hub.tls.cert`:  
+The TLS certificate for Traefik Proxy as a TLS client.
+
+`--hub.tls.insecure`:  
+Enables an insecure TLS connection that uses default credentials, and which has no peer authentication between Traefik Proxy and the Traefik Hub Agent. (Default: ```false```)
+
+`--hub.tls.key`:  
+The TLS key for Traefik Proxy as a TLS client.
+
 `--log`:  
 Traefik log settings. (Default: ```false```)

@@ -237,6 +264,9 @@ Enable metrics on routers. (Default: ```false```)
 `--metrics.datadog.addserviceslabels`:  
 Enable metrics on services. (Default: ```true```)

+`--metrics.datadog.prefix`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `--metrics.datadog.pushinterval`:  
 Datadog push interval. (Default: ```10```)

@@ -246,6 +276,9 @@ InfluxDB metrics exporter type. (Default: ```false```)
 `--metrics.influxdb.addentrypointslabels`:  
 Enable metrics on entry points. (Default: ```true```)

+`--metrics.influxdb.additionallabels.<name>`:  
+Additional labels (influxdb tags) on all metrics
+
 `--metrics.influxdb.address`:  
 InfluxDB address. (Default: ```localhost:8089```)

@@ -273,6 +306,36 @@ InfluxDB retention policy used when protocol is http.
 `--metrics.influxdb.username`:  
 InfluxDB username (only with http).

+`--metrics.influxdb2`:  
+InfluxDB v2 metrics exporter type. (Default: ```false```)
+
+`--metrics.influxdb2.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.influxdb2.additionallabels.<name>`:  
+Additional labels (influxdb tags) on all metrics
+
+`--metrics.influxdb2.address`:  
+InfluxDB v2 address. (Default: ```http://localhost:8086```)
+
+`--metrics.influxdb2.addrouterslabels`:  
+Enable metrics on routers. (Default: ```false```)
+
+`--metrics.influxdb2.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.influxdb2.bucket`:  
+InfluxDB v2 bucket ID.
+
+`--metrics.influxdb2.org`:  
+InfluxDB v2 org ID.
+
+`--metrics.influxdb2.pushinterval`:  
+InfluxDB v2 push interval. (Default: ```10```)
+
+`--metrics.influxdb2.token`:  
+InfluxDB v2 access token.
+
 `--metrics.prometheus`:  
 Prometheus metrics exporter type. (Default: ```false```)

@@ -339,6 +402,9 @@ Enable Consul backend with default settings. (Default: ```false```)
 `--providers.consul.endpoints`:  
 KV store endpoints (Default: ```127.0.0.1:8500```)

+`--providers.consul.namespace`:  
+KV Namespace
+
 `--providers.consul.password`:  
 KV Password

@@ -360,6 +426,9 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.consul.tls.key`:  
 TLS key

+`--providers.consul.token`:  
+KV Token
+
 `--providers.consul.username`:  
 KV Username

@@ -420,6 +489,9 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `--providers.consulcatalog.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)

+`--providers.consulcatalog.namespace`:  
+Sets the namespace used to discover services (Consul Enterprise only).
+
 `--providers.consulcatalog.prefix`:  
 Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)

@@ -435,6 +507,9 @@ Name of the Traefik service in Consul Catalog (needs to be registered via the or
 `--providers.consulcatalog.stale`:  
 Use stale consistency for catalog reads. (Default: ```false```)

+`--providers.consulcatalog.watch`:  
+Watch Consul API events. (Default: ```false```)
+
 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)

@@ -519,6 +594,9 @@ Enable Etcd backend with default settings. (Default: ```false```)
 `--providers.etcd.endpoints`:  
 KV store endpoints (Default: ```127.0.0.1:2379```)

+`--providers.etcd.namespace`:  
+KV Namespace
+
 `--providers.etcd.password`:  
 KV Password

@@ -540,6 +618,9 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.etcd.tls.key`:  
 TLS key

+`--providers.etcd.token`:  
+KV Token
+
 `--providers.etcd.username`:  
 KV Username

@@ -588,6 +669,9 @@ Enable Kubernetes backend with default settings. (Default: ```false```)
 `--providers.kubernetescrd.allowcrossnamespace`:  
 Allow cross namespace resource reference. (Default: ```false```)

+`--providers.kubernetescrd.allowemptyservices`:  
+Allow the creation of services without endpoints. (Default: ```false```)
+
 `--providers.kubernetescrd.allowexternalnameservices`:  
 Allow ExternalName services. (Default: ```false```)

@@ -774,6 +858,9 @@ Enable Redis backend with default settings. (Default: ```false```)
 `--providers.redis.endpoints`:  
 KV store endpoints (Default: ```127.0.0.1:6379```)

+`--providers.redis.namespace`:  
+KV Namespace
+
 `--providers.redis.password`:  
 KV Password

@@ -795,6 +882,9 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.redis.tls.key`:  
 TLS key

+`--providers.redis.token`:  
+KV Token
+
 `--providers.redis.username`:  
 KV Username

@@ -810,6 +900,9 @@ Enable ZooKeeper backend with default settings. (Default: ```false```)
 `--providers.zookeeper.endpoints`:  
 KV store endpoints (Default: ```127.0.0.1:2181```)

+`--providers.zookeeper.namespace`:  
+KV Namespace
+
 `--providers.zookeeper.password`:  
 KV Password

@@ -831,6 +924,9 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.zookeeper.tls.key`:  
 TLS key

+`--providers.zookeeper.token`:  
+KV Token
+
 `--providers.zookeeper.username`:  
 KV Username

@@ -921,11 +1017,14 @@ Sets the header name used to store the trace ID.
 `--tracing.instana`:  
 Settings for Instana. (Default: ```false```)

+`--tracing.instana.enableautoprofile`:  
+Enables automatic profiling for the Traefik process. (Default: ```false```)
+
 `--tracing.instana.localagenthost`:  
 Sets the Instana Agent host.

 `--tracing.instana.localagentport`:  
-Sets the Instana Agent port used. (Default: ```42699```)
+Sets the Instana Agent port. (Default: ```42699```)

 `--tracing.instana.loglevel`:  
 Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: ```info```)
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -54,6 +54,9 @@ Certificates resolvers configuration. (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CASERVER`:  
 CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)

+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`:  
+Certificates' duration in hours. (Default: ```2160```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:  
 Activate DNS-01 Challenge. (Default: ```false```)

@@ -102,9 +105,6 @@ Entry points definition. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
 Entry point address.

-`TRAEFIK_ENTRYPOINTS_<NAME>_ENABLEHTTP3`:  
-Enable HTTP3. (Default: ```false```)
-
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -114,6 +114,12 @@ Trust only forwarded headers from selected IPs.
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP`:  
 HTTP configuration.

+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3`:  
+HTTP3 configuration. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3_ADVERTISEDPORT`:  
+UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_MIDDLEWARES`:  
 Default middlewares for the routers linked to the entry point.

@@ -177,6 +183,9 @@ Timeout defines how long to wait on an idle session before releasing the related
 `TRAEFIK_EXPERIMENTAL_HTTP3`:  
 Enable HTTP3. (Default: ```false```)

+`TRAEFIK_EXPERIMENTAL_HUB`:  
+Enable the Traefik Hub provider. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_KUBERNETESGATEWAY`:  
 Allow the Kubernetes gateway api provider usage. (Default: ```false```)

@@ -210,6 +219,24 @@ resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
 `TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:  
 The maximal depth of DNS recursive resolving (Default: ```5```)

+`TRAEFIK_HUB`:  
+Traefik Hub configuration. (Default: ```false```)
+
+`TRAEFIK_HUB_ENTRYPOINT`:  
+Entrypoint that exposes data for Traefik Hub. It should be a dedicated one, and not used by any router. (Default: ```traefik-hub```)
+
+`TRAEFIK_HUB_TLS_CA`:  
+The certificate authority authenticates the Traefik Hub Agent certificate.
+
+`TRAEFIK_HUB_TLS_CERT`:  
+The TLS certificate for Traefik Proxy as a TLS client.
+
+`TRAEFIK_HUB_TLS_INSECURE`:  
+Enables an insecure TLS connection that uses default credentials, and which has no peer authentication between Traefik Proxy and the Traefik Hub Agent. (Default: ```false```)
+
+`TRAEFIK_HUB_TLS_KEY`:  
+The TLS key for Traefik Proxy as a TLS client.
+
 `TRAEFIK_LOG`:  
 Traefik log settings. (Default: ```false```)

@@ -237,15 +264,51 @@ Enable metrics on routers. (Default: ```false```)
 `TRAEFIK_METRICS_DATADOG_ADDSERVICESLABELS`:  
 Enable metrics on services. (Default: ```true```)

+`TRAEFIK_METRICS_DATADOG_PREFIX`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:  
 Datadog push interval. (Default: ```10```)

 `TRAEFIK_METRICS_INFLUXDB`:  
 InfluxDB metrics exporter type. (Default: ```false```)

+`TRAEFIK_METRICS_INFLUXDB2`:  
+InfluxDB v2 metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_INFLUXDB2_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB2_ADDITIONALLABELS_<NAME>`:  
+Additional labels (influxdb tags) on all metrics
+
+`TRAEFIK_METRICS_INFLUXDB2_ADDRESS`:  
+InfluxDB v2 address. (Default: ```http://localhost:8086```)
+
+`TRAEFIK_METRICS_INFLUXDB2_ADDROUTERSLABELS`:  
+Enable metrics on routers. (Default: ```false```)
+
+`TRAEFIK_METRICS_INFLUXDB2_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB2_BUCKET`:  
+InfluxDB v2 bucket ID.
+
+`TRAEFIK_METRICS_INFLUXDB2_ORG`:  
+InfluxDB v2 org ID.
+
+`TRAEFIK_METRICS_INFLUXDB2_PUSHINTERVAL`:  
+InfluxDB v2 push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB2_TOKEN`:  
+InfluxDB v2 access token.
+
 `TRAEFIK_METRICS_INFLUXDB_ADDENTRYPOINTSLABELS`:  
 Enable metrics on entry points. (Default: ```true```)

+`TRAEFIK_METRICS_INFLUXDB_ADDITIONALLABELS_<NAME>`:  
+Additional labels (influxdb tags) on all metrics
+
 `TRAEFIK_METRICS_INFLUXDB_ADDRESS`:  
 InfluxDB address. (Default: ```localhost:8089```)

@@ -393,6 +456,9 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)

+`TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACE`:  
+Sets the namespace used to discover services (Consul Enterprise only).
+
 `TRAEFIK_PROVIDERS_CONSULCATALOG_PREFIX`:  
 Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)

@@ -408,9 +474,15 @@ Name of the Traefik service in Consul Catalog (needs to be registered via the or
 `TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:  
 Use stale consistency for catalog reads. (Default: ```false```)

+`TRAEFIK_PROVIDERS_CONSULCATALOG_WATCH`:  
+Watch Consul API events. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
 KV store endpoints (Default: ```127.0.0.1:8500```)

+`TRAEFIK_PROVIDERS_CONSUL_NAMESPACE`:  
+KV Namespace
+
 `TRAEFIK_PROVIDERS_CONSUL_PASSWORD`:  
 KV Password

@@ -432,6 +504,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSUL_TLS_KEY`:  
 TLS key

+`TRAEFIK_PROVIDERS_CONSUL_TOKEN`:  
+KV Token
+
 `TRAEFIK_PROVIDERS_CONSUL_USERNAME`:  
 KV Username

@@ -519,6 +594,9 @@ Enable Etcd backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_ETCD_ENDPOINTS`:  
 KV store endpoints (Default: ```127.0.0.1:2379```)

+`TRAEFIK_PROVIDERS_ETCD_NAMESPACE`:  
+KV Namespace
+
 `TRAEFIK_PROVIDERS_ETCD_PASSWORD`:  
 KV Password

@@ -540,6 +618,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_KEY`:  
 TLS key

+`TRAEFIK_PROVIDERS_ETCD_TOKEN`:  
+KV Token
+
 `TRAEFIK_PROVIDERS_ETCD_USERNAME`:  
 KV Username

@@ -588,6 +669,9 @@ Enable Kubernetes backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:  
 Allow cross namespace resource reference. (Default: ```false```)

+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWEMPTYSERVICES`:  
+Allow the creation of services without endpoints. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWEXTERNALNAMESERVICES`:  
 Allow ExternalName services. (Default: ```false```)

@@ -774,6 +858,9 @@ Enable Redis backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_REDIS_ENDPOINTS`:  
 KV store endpoints (Default: ```127.0.0.1:6379```)

+`TRAEFIK_PROVIDERS_REDIS_NAMESPACE`:  
+KV Namespace
+
 `TRAEFIK_PROVIDERS_REDIS_PASSWORD`:  
 KV Password

@@ -795,6 +882,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_KEY`:  
 TLS key

+`TRAEFIK_PROVIDERS_REDIS_TOKEN`:  
+KV Token
+
 `TRAEFIK_PROVIDERS_REDIS_USERNAME`:  
 KV Username

@@ -810,6 +900,9 @@ Enable ZooKeeper backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_ZOOKEEPER_ENDPOINTS`:  
 KV store endpoints (Default: ```127.0.0.1:2181```)

+`TRAEFIK_PROVIDERS_ZOOKEEPER_NAMESPACE`:  
+KV Namespace
+
 `TRAEFIK_PROVIDERS_ZOOKEEPER_PASSWORD`:  
 KV Password

@@ -831,6 +924,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_KEY`:  
 TLS key

+`TRAEFIK_PROVIDERS_ZOOKEEPER_TOKEN`:  
+KV Token
+
 `TRAEFIK_PROVIDERS_ZOOKEEPER_USERNAME`:  
 KV Username

@@ -921,11 +1017,14 @@ Sets the header name used to store the trace ID.
 `TRAEFIK_TRACING_INSTANA`:  
 Settings for Instana. (Default: ```false```)

+`TRAEFIK_TRACING_INSTANA_ENABLEAUTOPROFILE`:  
+Enables automatic profiling for the Traefik process. (Default: ```false```)
+
 `TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
 Sets the Instana Agent host.

 `TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
-Sets the Instana Agent port used. (Default: ```42699```)
+Sets the Instana Agent port. (Default: ```42699```)

 `TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
 Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: ```info```)
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -14,7 +14,6 @@
 [entryPoints]
  [entryPoints.EntryPoint0]
    address = "foobar"
-    enableHTTP3 = true
    [entryPoints.EntryPoint0.transport]
      [entryPoints.EntryPoint0.transport.lifeCycle]
        requestAcceptGraceTimeout = 42
@@ -31,6 +30,8 @@
      trustedIPs = ["foobar", "foobar"]
    [entryPoints.EntryPoint0.udp]
      timeout = 42
+    [entryPoints.EntryPoint0.http3]
+      advertisedPort = 42
    [entryPoints.EntryPoint0.http]
      middlewares = ["foobar", "foobar"]
      [entryPoints.EntryPoint0.http.redirections]
@@ -120,6 +121,7 @@
    labelSelector = "foobar"
    ingressClass = "foobar"
    throttleDuration = 42
+    allowEmptyServices = true
  [providers.kubernetesGateway]
    endpoint = "foobar"
    token = "foobar"
@@ -147,6 +149,8 @@
    cache = true
    exposedByDefault = true
    defaultRule = "foobar"
+    namespace = "foobar"
+    watch = true
    [providers.consulCatalog.endpoint]
      address = "foobar"
      scheme = "foobar"
@@ -177,6 +181,8 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
+    namespace = "foobar"
+    token = "foobar"
    [providers.consul.tls]
      ca = "foobar"
      caOptional = true
@@ -188,6 +194,8 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
+    namespace = "foobar"
+    token = "foobar"
    [providers.etcd.tls]
      ca = "foobar"
      caOptional = true
@@ -199,6 +207,8 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
+    namespace = "foobar"
+    token = "foobar"
    [providers.zooKeeper.tls]
      ca = "foobar"
      caOptional = true
@@ -210,6 +220,8 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
+    namespace = "foobar"
+    token = "foobar"
    [providers.redis.tls]
      ca = "foobar"
      caOptional = true
@@ -249,6 +261,7 @@
    addEntryPointsLabels = true
    addRoutersLabels = true
    addServicesLabels = true
+    prefix = "foobar"
  [metrics.statsD]
    address = "foobar"
    pushInterval = "42s"
@@ -267,6 +280,19 @@
    addEntryPointsLabels = true
    addRoutersLabels = true
    addServicesLabels = true
+    [metrics.influxDB.additionalLabels]
+      foobar = "foobar"
+  [metrics.influxDB2]
+    address = "foobar"
+    token = "foobar"
+    pushInterval = "42s"
+    org = "foobar"
+    bucket = "foobar"
+    addEntryPointsLabels = true
+    addRoutersLabels = true
+    addServicesLabels = true
+    [metrics.influxDB2.additionalLabels]
+      foobar = "foobar"

 [ping]
  entryPoint = "foobar"
@@ -354,6 +380,7 @@
    [certificatesResolvers.CertificateResolver0.acme]
      email = "foobar"
      caServer = "foobar"
+      certificatesDuration = 2160
      preferredChain = "foobar"
      storage = "foobar"
      keyType = "foobar"
@@ -372,6 +399,7 @@
    [certificatesResolvers.CertificateResolver1.acme]
      email = "foobar"
      caServer = "foobar"
+      certificatesDuration = 2160
      preferredChain = "foobar"
      storage = "foobar"
      keyType = "foobar"
@@ -391,9 +419,18 @@
  token = "foobar"
  dashboard = true

+[hub]
+  entrypoint = "foobar"
+  [hub.tls]
+    insecure = true
+    ca = "foobar"
+    cert = "foobar"
+    key = "foobar"
+
 [experimental]
  kubernetesGateway = true
  http3 = true
+  hub = true
  [experimental.plugins]
    [experimental.plugins.Descriptor0]
      moduleName = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -32,7 +32,8 @@ entryPoints:
      trustedIPs:
      - foobar
      - foobar
-    enableHTTP3: true
+    http3:
+      advertisedPort: 42
    udp:
      timeout: 42
    http:
@@ -130,6 +131,7 @@ providers:
    labelSelector: foobar
    ingressClass: foobar
    throttleDuration: 42s
+    allowEmptyServices: true
  kubernetesGateway:
    endpoint: foobar
    token: foobar
@@ -159,6 +161,8 @@ providers:
    cache: true
    exposedByDefault: true
    defaultRule: foobar
+    namespace: foobar
+    watch: true
    endpoint:
      address: foobar
      scheme: foobar
@@ -193,6 +197,8 @@ providers:
    - foobar
    username: foobar
    password: foobar
+    namespace: foobar
+    token: foobar
    tls:
      ca: foobar
      caOptional: true
@@ -206,6 +212,8 @@ providers:
    - foobar
    username: foobar
    password: foobar
+    namespace: foobar
+    token: foobar
    tls:
      ca: foobar
      caOptional: true
@@ -219,6 +227,8 @@ providers:
    - foobar
    username: foobar
    password: foobar
+    namespace: foobar
+    token: foobar
    tls:
      ca: foobar
      caOptional: true
@@ -232,6 +242,8 @@ providers:
    - foobar
    username: foobar
    password: foobar
+    namespace: foobar
+    token: foobar
    tls:
      ca: foobar
      caOptional: true
@@ -271,6 +283,7 @@ metrics:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
+    prefix: foobar
  statsD:
    address: foobar
    pushInterval: 42
@@ -289,6 +302,20 @@ metrics:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
+    additionalLabels:
+      foobar: foobar
+  influxDB2:
+    address: foobar
+    token: foobar
+    pushInterval: 42s
+    org: foobar
+    bucket: foobar
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+    additionalLabels:
+      foobar: foobar
+
 ping:
  entryPoint: foobar
  manualRouting: true
@@ -372,6 +399,7 @@ certificatesResolvers:
    acme:
      email: foobar
      caServer: foobar
+      certificatesDuration: 2160
      preferredChain: foobar
      storage: foobar
      keyType: foobar
@@ -392,6 +420,7 @@ certificatesResolvers:
    acme:
      email: foobar
      caServer: foobar
+      certificatesDuration: 2160
      preferredChain: foobar
      storage: foobar
      keyType: foobar
@@ -411,9 +440,17 @@ certificatesResolvers:
 pilot:
  token: foobar
  dashboard: true
+hub:
+  entrypoint: foobar
+  tls:
+    insecure: true
+    ca: foobar
+    cert: foobar
+    key: foobar
 experimental:
  kubernetesGateway: true
  http3: true
+  hub: true
  plugins:
    Descriptor0:
      moduleName: foobar
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -100,7 +100,8 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
    entryPoints:
      name:
        address: ":8888" # same as ":8888/tcp"
-        enableHTTP3: true
+        http3:
+          advertisedPort: 8888
        transport:
          lifeCycle:
            requestAcceptGraceTimeout: 42
@@ -126,7 +127,8 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
    [entryPoints]
      [entryPoints.name]
        address = ":8888" # same as ":8888/tcp"
-        enableHTTP3 = true
+        [entryPoints.name.http3]
+          advertisedPort = 8888
        [entryPoints.name.transport]
          [entryPoints.name.transport.lifeCycle]
            requestAcceptGraceTimeout = 42
@@ -146,7 +148,7 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
    ```bash tab="CLI"
    ## Static configuration
    --entryPoints.name.address=:8888 # same as :8888/tcp
-    --entryPoints.name.http3=true
+    --entryPoints.name.http3.advertisedport=8888
    --entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
    --entryPoints.name.transport.lifeCycle.graceTimeOut=42
    --entryPoints.name.transport.respondingTimeouts.readTimeout=42
@@ -221,41 +223,74 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar

    Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.

-### EnableHTTP3
+### HTTP/3

-`enableHTTP3` defines that you want to enable HTTP3 on this `address`.
-You can only enable HTTP3 on a TCP entrypoint.
-Enabling HTTP3 will automatically add the correct headers for the connection upgrade to HTTP3.
+#### `http3`

-??? info "HTTP3 uses UDP+TLS"
+`http3` enables HTTP/3 protocol on the entryPoint.
+HTTP/3 requires a TCP entryPoint, as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP.
+In most scenarios, this entryPoint is the same as the one used for TLS traffic.

-    As HTTP3 uses UDP, you can't have a TCP entrypoint with HTTP3 on the same port as a UDP entrypoint.
-    Since HTTP3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP3.
+??? info "HTTP/3 uses UDP+TLS"

-!!! warning "Enabling Experimental HTTP3"
+    As HTTP/3 uses UDP, you can't have a TCP entryPoint with HTTP/3 on the same port as a UDP entryPoint.
+    Since HTTP/3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP/3.

-    As the HTTP3 spec is still in draft, HTTP3 support in Traefik is an experimental feature and needs to be activated 
+!!! warning "Enabling Experimental HTTP/3"
+
+    As the HTTP/3 spec is still in draft, HTTP/3 support in Traefik is an experimental feature and needs to be activated 
    in the experimental section of the static configuration.
    
    ```yaml tab="File (YAML)"
    experimental:
      http3: true
-    
+
    entryPoints:
      name:
-        enableHTTP3: true
+        http3: {}
    ```

    ```toml tab="File (TOML)"
    [experimental]
      http3 = true
    
-    [entryPoints.name]
-      enableHTTP3 = true
+    [entryPoints.name.http3]
    ```
    
    ```bash tab="CLI"
-    --experimental.http3=true --entrypoints.name.enablehttp3=true
+    --experimental.http3=true 
+    --entrypoints.name.http3
+    ```
+
+#### `advertisedPort`
+
+`http3.advertisedPort` defines which UDP port to advertise as the HTTP/3 authority.
+It defaults to the entryPoint's address port.
+It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.
+
+!!! info "http3.advertisedPort"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      http3: true
+
+    entryPoints:
+      name:
+        http3:
+          advertisedPort: 443
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+      http3 = true
+    
+    [entryPoints.name.http3]
+      advertisedPort = 443
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.http3=true 
+    --entrypoints.name.http3.advertisedport=443
    ```

 ### Forwarded Headers
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -21,7 +21,7 @@ If they do, the router might transform the request using pieces of [middleware](

 ## Example with a File Provider

-Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
+Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://example.com/whoami/` requests to a service reachable on `http://private/whoami-service/`.
 In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/http/basicauth.md)).

 Static configuration:
@@ -122,7 +122,7 @@ http:
    In this example, we've defined routing rules for http requests only.
    Traefik also supports TCP requests. To add [TCP routers](./routers/index.md) and [TCP services](./services/index.md), declare them in a TCP section like in the following.

-    ??? example "Adding a TCP route for TLS requests on whoami.example.com"
+    ??? example "Adding a TCP route for TLS requests on whoami-tcp.example.com"

        **Static Configuration**

@@ -324,7 +324,7 @@ serversTransport:

 `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.

-#### forwardingTimeouts.dialTimeout`
+#### `forwardingTimeouts.dialTimeout`

 _Optional, Default=30s_

@@ -349,7 +349,7 @@ serversTransport:
 --serversTransport.forwardingTimeouts.dialTimeout=1s
 ```

-#### forwardingTimeouts.responseHeaderTimeout`
+#### `forwardingTimeouts.responseHeaderTimeout`

 _Optional, Default=0s_

@@ -376,7 +376,7 @@ serversTransport:
 --serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
 ```

-#### forwardingTimeouts.idleConnTimeout`
+#### `forwardingTimeouts.idleConnTimeout`

 _Optional, Default=90s_

--- a/docs/content/routing/providers/consul-catalog.md
+++ b/docs/content/routing/providers/consul-catalog.md
@@ -63,7 +63,7 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
    See [tls](../routers/index.md#tls) for more information.
    
    ```yaml
-    traefik.http.routers.myrouter>.tls=true
+    traefik.http.routers.myrouter.tls=true
    ```

 ??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
@@ -99,7 +99,8 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
    ```

 ??? info "`traefik.http.routers.<router_name>.priority`"
-    <!-- TODO doc priority in routers page -->
+
+    See [priority](../routers/index.md#priority) for more information.
    
    ```yaml
    traefik.http.routers.myrouter.priority=42
@@ -136,7 +137,7 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    See [serverstransport](../services/index.md#serverstransport) for more information.
    
    ```yaml
-    traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file
+    traefik.http.services.myservice.loadbalancer.serverstransport=foobar@file
    ```

 ??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
--- a/docs/content/routing/providers/docker.md
+++ b/docs/content/routing/providers/docker.md
@@ -538,6 +538,14 @@ You can declare TCP Routers and/or Services using labels.
    - "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
    ```

+??? info "`traefik.tcp.routers.<router_name>.priority`"
+
+    See [priority](../routers/index.md#priority_1) for more information.
+
+    ```yaml
+    - "traefik.tcp.routers.myrouter.priority=42"
+    ```
+
 #### TCP Services

 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
--- a/docs/content/routing/providers/ecs.md
+++ b/docs/content/routing/providers/ecs.md
@@ -379,6 +379,14 @@ You can declare TCP Routers and/or Services using labels.
    traefik.tcp.routers.mytcprouter.tls.passthrough=true
    ```

+??? info "`traefik.tcp.routers.<router_name>.priority`"
+
+    See [priority](../routers/index.md#priority_1) for more information.
+
+    ```yaml
+    traefik.tcp.routers.myrouter.priority=42
+    ```
+
 #### TCP Services

 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@@ -43,7 +43,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.5
+              image: traefik:v2.7
              args:
                - --log.level=DEBUG
                - --api
@@ -357,27 +357,27 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
          - b.example.net
    ```

-| Ref  | Attribute                      | Purpose                                                                                                                                                                                                                                                                                    |
-|------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `entryPoints`                  | List of [entry points](../routers/index.md#entrypoints) names                                                                                                                                                                                                                              |
-| [2]  | `routes`                       | List of routes                                                                                                                                                                                                                                                                             |
-| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule) corresponding to an underlying router.                                                                                                                                                                                                        |
-| [4]  | `routes[n].priority`           | [Disambiguate](../routers/index.md#priority) rules of the same length, for route matching                                                                                                                                                                                                  |
-| [5]  | `routes[n].middlewares`        | List of reference to [Middleware](#kind-middleware)                                                                                                                                                                                                                                        |
-| [6]  | `middlewares[n].name`          | Defines the [Middleware](#kind-middleware) name                                                                                                                                                                                                                                            |
-| [7]  | `middlewares[n].namespace`     | Defines the [Middleware](#kind-middleware) namespace                                                                                                                                                                                                                                       |
-| [8]  | `routes[n].services`           | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup)                                                                   |
-| [9]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                     |
+| Ref  | Attribute                      | Purpose                                                                                                                                                                                                                                                                                      |
+|------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `entryPoints`                  | List of [entry points](../routers/index.md#entrypoints) names                                                                                                                                                                                                                                |
+| [2]  | `routes`                       | List of routes                                                                                                                                                                                                                                                                               |
+| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule) corresponding to an underlying router.                                                                                                                                                                                                          |
+| [4]  | `routes[n].priority`           | Defines the [priority](../routers/index.md#priority) to disambiguate rules of the same length, for route matching                                                                                                                                                                            |
+| [5]  | `routes[n].middlewares`        | List of reference to [Middleware](#kind-middleware)                                                                                                                                                                                                                                          |
+| [6]  | `middlewares[n].name`          | Defines the [Middleware](#kind-middleware) name                                                                                                                                                                                                                                              |
+| [7]  | `middlewares[n].namespace`     | Defines the [Middleware](#kind-middleware) namespace                                                                                                                                                                                                                                         |
+| [8]  | `routes[n].services`           | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup)                                                                     |
+| [9]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       |
 | [10] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
-| [11] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                           |
-| [12] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                       |
-| [13] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                    |
-| [14] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                              |
-| [15] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                         |
-| [16] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                |
-| [17] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                             |
-| [18] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                               |
-| [19] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                         |
+| [11] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
+| [12] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
+| [13] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
+| [14] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
+| [15] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
+| [16] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
+| [17] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
+| [18] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
+| [19] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |

 ??? example "Declaring an IngressRoute"

@@ -1088,54 +1088,56 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
        - footcp
      routes:                       # [2]
      - match: HostSNI(`*`)         # [3]
+        priority: 10                # [4]
        middlewares:
-        - name: middleware1         # [4]
-          namespace: default        # [5]
-        services:                   # [6]
-        - name: foo                 # [7]
-          port: 8080                # [8]
-          weight: 10                # [9]
-          terminationDelay: 400     # [10]
-          proxyProtocol:            # [11]
-            version: 1              # [12]
-      tls:                          # [13]
-        secretName: supersecret     # [14]
-        options:                    # [15]
-          name: opt                 # [16]
-          namespace: default        # [17]
-        certResolver: foo           # [18]
-        domains:                    # [19]
-        - main: example.net         # [20]
-          sans:                     # [21]
+        - name: middleware1         # [5]
+          namespace: default        # [6]
+        services:                   # [7]
+        - name: foo                 # [8]
+          port: 8080                # [9]
+          weight: 10                # [10]
+          terminationDelay: 400     # [11]
+          proxyProtocol:            # [12]
+            version: 1              # [13]
+      tls:                          # [14]
+        secretName: supersecret     # [15]
+        options:                    # [16]
+          name: opt                 # [17]
+          namespace: default        # [18]
+        certResolver: foo           # [19]
+        domains:                    # [20]
+        - main: example.net         # [21]
+          sans:                     # [22]
          - a.example.net
          - b.example.net
-        passthrough: false          # [22]
+        passthrough: false          # [23]
    ```

 | Ref  | Attribute                      | Purpose                                                                                                                                                                                                                                                                                                                                                                              |
 |------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [1]  | `entryPoints`                  | List of [entrypoints](../routers/index.md#entrypoints_1) names                                                                                                                                                                                                                                                                                                                       |
 | [2]  | `routes`                       | List of routes                                                                                                                                                                                                                                                                                                                                                                       |
-| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule_1) corresponding to an underlying router                                                                                                                                                                                                                                                                                                 |
-| [4]  | `middlewares[n].name`          | Defines the [MiddlewareTCP](#kind-middlewaretcp) name                                                                                                                                                                                                                                                                                                                                |
-| [5]  | `middlewares[n].namespace`     | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace                                                                                                                                                                                                                                                                                                                           |
-| [6]  | `routes[n].services`           | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions  (See below for `ExternalName Service` setup)                                                                                                                                                                                                                             |
-| [7]  | `services[n].name`             | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                         |
-| [8]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                                                                                                               |
-| [9]  | `services[n].weight`           | Defines the weight to apply to the server load balancing                                                                                                                                                                                                                                                                                                                             |
-| [10] | `services[n].terminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
-| [11] | `proxyProtocol`                | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration                                                                                                                                                                                                                                                                                                      |
-| [12] | `version`                      | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version                                                                                                                                                                                                                                                                                                            |
-| [13] | `tls`                          | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                   |
-| [14] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                 |
-| [15] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                              |
-| [16] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                        |
-| [17] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                   |
-| [18] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                        |
-| [19] | `tls.domains`                  | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                     |
-| [20] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                         |
-| [21] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                   |
-| [22] | `tls.passthrough`              | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                              |
+| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule_1) of the underlying router                                                                                                                                                                                                                                                                                                 |
+| [4]  | `routes[n].priority`           | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching                                                                                                                                                                                                                                                                                                |
+| [5]  | `middlewares[n].name`          | Defines the [MiddlewareTCP](#kind-middlewaretcp) name                                                                                                                                                                                                                                                                                                                                |
+| [6]  | `middlewares[n].namespace`     | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace                                                                                                                                                                                                                                                                                                                           |
+| [7]  | `routes[n].services`           | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions  (See below for `ExternalName Service` setup)                                                                                                                                                                                                                             |
+| [8]  | `services[n].name`             | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                         |
+| [9]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                                                                                                               |
+| [10] | `services[n].weight`           | Defines the weight to apply to the server load balancing                                                                                                                                                                                                                                                                                                                             |
+| [11] | `services[n].terminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
+| [12] | `proxyProtocol`                | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration                                                                                                                                                                                                                                                                                                      |
+| [13] | `version`                      | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version                                                                                                                                                                                                                                                                                                            |
+| [14] | `tls`                          | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                   |
+| [15] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                 |
+| [16] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                              |
+| [17] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                        |
+| [18] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                   |
+| [19] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                        |
+| [20] | `tls.domains`                  | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                     |
+| [21] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                         |
+| [22] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                   |
+| [23] | `tls.passthrough`              | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                              |

 ??? example "Declaring an IngressRouteTCP"

@@ -1151,6 +1153,7 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
      routes:
      # Match is the rule corresponding to an underlying router.
      - match: HostSNI(`*`)
+        priority: 10
        services:
        - name: foo
          port: 8080
@@ -1485,39 +1488,40 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
-      name: mytlsoption
+      name: mytlsoption                             # [1]
      namespace: default
    
    spec:
-      minVersion: VersionTLS12                      # [1]
-      maxVersion: VersionTLS13                      # [1]
-      curvePreferences:                             # [3]
+      minVersion: VersionTLS12                      # [2]
+      maxVersion: VersionTLS13                      # [3]
+      curvePreferences:                             # [4]
        - CurveP521
        - CurveP384
-      cipherSuites:                                 # [4]
+      cipherSuites:                                 # [5]
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_RSA_WITH_AES_256_GCM_SHA384
-      clientAuth:                                   # [5]
-        secretNames:                                # [6]
+      clientAuth:                                   # [6]
+        secretNames:                                # [7]
          - secret-ca1
          - secret-ca2
-        clientAuthType: VerifyClientCertIfGiven     # [7]
-      sniStrict: true                               # [8]
-      alpnProtocols:                                # [9]
+        clientAuthType: VerifyClientCertIfGiven     # [8]
+      sniStrict: true                               # [9]
+      alpnProtocols:                                # [10]
        - foobar
    ```

-| Ref | Attribute                   | Purpose                                                                                                                                                                                                                    |
-|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1] | `minVersion`                | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable                                                                                                                               |
-| [2] | `maxVersion`                | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable                                                                                                                               |
-| [3] | `cipherSuites`              | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2                                                                                                                         |
-| [4] | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order                                                                                |
-| [5] | `clientAuth`                | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls)                                                                                                              |
-| [6] | `clientAuth.secretNames`    | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. |
-| [7] | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`                                                 |
-| [8] | `sniStrict`                 | if `true`, Traefik won't allow connections from clients connections that do not specify a server_name extension                                                                                                            |
-| [9] | `alpnProtocols`             | List of supported [application level protocols](../../https/tls.md#alpn-protocols) for the TLS handshake, in order of preference.                                                                                          |
+| Ref  | Attribute                   | Purpose                                                                                                                                                                                                                    |
+|------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `name`                      | Defines the name of the TLSOption resource. One can use `default` as name to redefine the [default TLSOption](../../https/tls.md#tls-options).                                                                             |
+| [2]  | `minVersion`                | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable.                                                                                                                              |
+| [3]  | `maxVersion`                | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable.                                                                                                                              |
+| [4]  | `cipherSuites`              | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2.                                                                                                                        |
+| [5]  | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order.                                                                               |
+| [6]  | `clientAuth`                | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls).                                                                                                             |
+| [7]  | `clientAuth.secretNames`    | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. |
+| [8]  | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`.                                                |
+| [9]  | `sniStrict`                 | if `true`, Traefik won't allow connections from clients connections that do not specify a server_name extension.                                                                                                           |
+| [10] | `alpnProtocols`             | List of supported [application level protocols](../../https/tls.md#alpn-protocols) for the TLS handshake, in order of preference.                                                                                          |

 !!! info "CA Secret"

--- a/docs/content/routing/providers/kubernetes-gateway.md
+++ b/docs/content/routing/providers/kubernetes-gateway.md
@@ -1,7 +1,6 @@
 # Traefik & Kubernetes

-The Kubernetes Gateway API, The Experimental Way.
-{: .subtitle }
+The Kubernetes Gateway API, The Experimental Way. {: .subtitle }

 ## Configuration Examples

@@ -28,162 +27,180 @@ The Kubernetes Gateway API, The Experimental Way.
 ### Custom Resource Definition (CRD)

 * You can find an exhaustive list, of the custom resources and their attributes in
-[the reference page](../../reference/dynamic-configuration/kubernetes-gateway.md) or in the Kubernetes Sigs `Gateway API` [repository](https://github.com/kubernetes-sigs/gateway-api).
-* Validate that [the prerequisites](../../providers/kubernetes-gateway.md#configuration-requirements) are fulfilled before using the Traefik Kubernetes Gateway Provider.
-    
+  [the reference page](../../reference/dynamic-configuration/kubernetes-gateway.md) or in the Kubernetes
+  Sigs `Gateway API` [repository](https://github.com/kubernetes-sigs/gateway-api).
+* Validate that [the prerequisites](../../providers/kubernetes-gateway.md#configuration-requirements) are fulfilled
+  before using the Traefik Kubernetes Gateway Provider.
+
 You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:

 | Kind                               | Purpose                                                                   | Concept Behind                                                                       |
 |------------------------------------|---------------------------------------------------------------------------|--------------------------------------------------------------------------------------|
-| [GatewayClass](#kind-gatewayclass) | Defines a set of Gateways that share a common configuration and behaviour | [GatewayClass](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/gatewayclass)      |
-| [Gateway](#kind-gateway)           | Describes how traffic can be translated to Services within the cluster    | [Gateway](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/gateway)                |
-| [HTTPRoute](#kind-httproute)       | HTTP rules for mapping requests from a Gateway to Kubernetes Services     | [Route](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/httproute)                |
+| [GatewayClass](#kind-gatewayclass) | Defines a set of Gateways that share a common configuration and behaviour | [GatewayClass](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/gatewayclass)      |
+| [Gateway](#kind-gateway)           | Describes how traffic can be translated to Services within the cluster    | [Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/gateway)                |
+| [HTTPRoute](#kind-httproute)       | HTTP rules for mapping requests from a Gateway to Kubernetes Services     | [Route](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute)                |
 | [TCPRoute](#kind-tcproute)         | Allows mapping TCP requests from a Gateway to Kubernetes Services         | [Route](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tcproute-and-udproute)|
 | [TLSRoute](#kind-tlsroute)         | Allows mapping TLS requests from a Gateway to Kubernetes Services         | [Route](https://gateway-api.sigs.k8s.io/concepts/api-overview/#tcproute-and-udproute)|

 ### Kind: `GatewayClass`

-`GatewayClass` is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated.
-More details on the GatewayClass [official documentation](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/gatewayclass/).
+`GatewayClass` is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of
+Gateways that can be instantiated. More details on the
+GatewayClass [official documentation](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/gatewayclass/).

 The `GatewayClass` should be declared by the infrastructure provider, otherwise please register the `GatewayClass`
-[definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before 
+[definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before
 creating `GatewayClass` objects.

 !!! info "Declaring GatewayClass"

    ```yaml
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: GatewayClass
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
      name: my-gateway-class
    spec:
      # Controller is a domain/path string that indicates
      # the controller that is managing Gateways of this class.
-      controller: traefik.io/gateway-controller
+      controllerName: traefik.io/gateway-controller
    ```

 ### Kind: `Gateway`

-A `Gateway` is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, 
-some load balancing infrastructure is provisioned or configured by the GatewayClass controller. 
-More details on the Gateway [official documentation](https://gateway-api.sigs.k8s.io/v1alpha1/api-types/gateway/).
+A `Gateway` is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load
+balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the
+Gateway [official documentation](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/gateway/).

 Register the `Gateway` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
 Kubernetes cluster before creating `Gateway` objects.

 Depending on the Listener Protocol, different modes and Route types are supported.

-| Listener Protocol | TLS Mode       | Route Type Supported         |
-|-------------------|----------------|------------------------------|
-| TCP               | Not applicable | [TCPRoute](#kind-tcproute)   |
-| TLS               | Passthrough    | [TLSRoute](#kind-tlsroute)   |
-| TLS               | Terminate      | [TCPRoute](#kind-tcproute)   |
-| HTTP              | Not applicable | [HTTPRoute](#kind-httproute) |
-| HTTPS             | Terminate      | [HTTPRoute](#kind-httproute) |
+| Listener Protocol | TLS Mode       | Route Type Supported                                   |
+|-------------------|----------------|--------------------------------------------------------|
+| TCP               | Not applicable | [TCPRoute](#kind-tcproute)                             |
+| TLS               | Passthrough    | [TLSRoute](#kind-tlsroute), [TCPRoute](#kind-tcproute) |
+| TLS               | Terminate      | [TLSRoute](#kind-tlsroute), [TCPRoute](#kind-tcproute) |
+| HTTP              | Not applicable | [HTTPRoute](#kind-httproute)                           |
+| HTTPS             | Terminate      | [HTTPRoute](#kind-httproute)                           |

 !!! info "Declaring Gateway"

    ```yaml tab="HTTP Listener"
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: Gateway
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
      name: my-http-gateway
      namespace: default
    spec:
      gatewayClassName: my-gateway-class        # [1]
      listeners:                                # [2]
-        - protocol: HTTP                        # [3] 
-          port: 80                              # [4]
-          routes:                               # [8]
-            kind: HTTPRoute                     # [9]
-            selector:                           # [10]
-              matchLabels:                      # [11]
-                app: foo
+        - name: http                            # [3]
+          protocol: HTTP                        # [4] 
+          port: 80                              # [5]
+          allowedRoutes:                        # [9]
+            kinds:
+              - kind: HTTPRoute                 # [10]
+            namespaces:
+              from: Selector                    # [11]
+              selector:                         # [12]
+                matchLabels:                    
+                  app: foo
    ```

    ```yaml tab="HTTPS Listener"
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: Gateway
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
      name: my-https-gateway
      namespace: default
    spec:
      gatewayClassName: my-gateway-class        # [1]
      listeners:                                # [2]
-        - protocol: HTTPS                       # [3] 
-          port: 443                             # [4]
-          tls:                                  # [6]
-            certificateRef:                     # [7]
-              group: "core"
-              kind: "Secret"
-              name: "mysecret"
-          routes:                               # [8]
-            kind: HTTPRoute                     # [9]
-            selector:                           # [10]
-              matchLabels:                      # [11]
-                app: foo
+        - name: https                           # [3]
+          protocol: HTTPS                       # [4] 
+          port: 443                             # [5]
+          tls:                                  # [7]
+            certificateRefs:                    # [8]
+              - kind: "Secret"
+                name: "mysecret"
+          allowedRoutes:                        # [9]
+            kinds:
+              - kind: HTTPSRoute                # [10]
+            namespaces:
+              from: Selector                    # [11]
+              selector:                         # [12]
+                matchLabels:                    
+                  app: foo
    ```

    ```yaml tab="TCP Listener"
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: Gateway
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
      name: my-tcp-gateway
      namespace: default
    spec:
      gatewayClassName: my-gateway-class        # [1]
      listeners:                                # [2]
-        - protocol: TCP                         # [3] 
-          port: 8000                            # [4]
-          routes:                               # [8]
-            kind: TCPRoute                      # [9]
-            selector:                           # [10]
-              matchLabels:                      # [11]
-                app: footcp
+        - name: tcp                             # [3]
+          protocol: TCP                         # [4] 
+          port: 8000                            # [5]
+          allowedRoutes:                        # [9]
+            kinds:
+              - kind: TCPRoute                  # [10]  
+            namespaces:
+              from: Selector                    # [11]
+              selector:                         # [12]
+                matchLabels:                    
+                  app: footcp
    ```

    ```yaml tab="TLS Listener"
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: Gateway
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
      name: my-tls-gateway
      namespace: default
    spec:
      gatewayClassName: my-gateway-class        # [1]
      listeners:                                # [2]
-        - protocol: TLS                         # [3] 
-          port: 443                             # [4]
-          hostname: foo.com                     # [5]
-          tls:                                  # [6]
-            certificateRef:                     # [7]
-              group: "core"
-              kind: "Secret"
-              name: "mysecret"
-          routes:                               # [8]
-            kind: TLSRoute                      # [9]
-            selector:                           # [10]
-              matchLabels:                      # [11]
-                app: footcp
+        - name: tls                             # [3]
+          protocol: TLS                         # [4] 
+          port: 443                             # [5]
+          hostname: foo.com                     # [6]
+          tls:                                  # [7]
+            certificateRefs:                    # [8]
+              - kind: "Secret"
+                name: "mysecret"
+          allowedRoutes:                        # [9]
+            kinds:
+              - kind: TLSRoute                  # [10]
+            namespaces:
+              from: Selector                    # [11]
+              selector:                         # [12]
+                matchLabels:                    
+                  app: footcp
    ```

-| Ref  | Attribute          | Description                                                                                                                                          |
-|------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `gatewayClassName` | GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.                                                                 |
-| [2]  | `listeners`        | Logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified.                                               |
-| [3]  | `protocol`         | The network protocol this listener expects to receive (only HTTP and HTTPS are implemented).                                                         |
-| [4]  | `port`             | The network port.                                                                                                                                    |
-| [5]  | `hostname`         | Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched. |
-| [6]  | `tls`              | TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS" and ignored otherwise.                          |
-| [7]  | `certificateRef`   | The reference to Kubernetes object that contains a TLS certificate and private key.                                                                  |
-| [8]  | `routes`           | A schema for associating routes with the Listener using selectors.                                                                                   |
-| [9]  | `kind`             | The kind of the referent.                                                                                                                            |
-| [10] | `selector`         | Routes in namespaces selected by the selector may be used by this Gateway routes to associate with the Gateway.                                      |
-| [11] | `matchLabels`      | A set of route labels used for selecting routes to associate with the Gateway.                                                                       |
+| Ref  | Attribute          | Description                                                                                                                                                 |
+|------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `gatewayClassName` | GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.                                                                        |
+| [2]  | `listeners`        | Logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified.                                                      |
+| [3]  | `name`             | Name of the Listener.                                                                                                                                       |
+| [4]  | `protocol`         | The network protocol this listener expects to receive (only HTTP and HTTPS are implemented).                                                                |
+| [5]  | `port`             | The network port.                                                                                                                                           |
+| [6]  | `hostname`         | Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched.        |
+| [7]  | `tls`              | TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS" and ignored otherwise.                                 |
+| [8]  | `certificateRefs`  | The references to Kubernetes objects that contains TLS certificates and private keys (only one reference to a Kubernetes Secret is supported).              |
+| [9]  | `allowedRoutes`    | Defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present.                       |
+| [10] | `kind`             | The kind of the Route.                                                                                                                                      |
+| [11] | `from`             | From indicates in which namespaces the Routes will be selected for this Gateway. Possible values are `All`, `Same` and `Selector` (Defaults to `Same`).     |
+| [12] | `selector`         | Selector must be specified when From is set to `Selector`. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. |

 ### Kind: `HTTPRoute`

-`HTTPRoute` defines HTTP rules for mapping requests from a `Gateway` to Kubernetes Services. 
+`HTTPRoute` defines HTTP rules for mapping requests from a `Gateway` to Kubernetes Services.

 Register the `HTTPRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
 Kubernetes cluster before creating `HTTPRoute` objects.
@@ -191,61 +208,60 @@ Kubernetes cluster before creating `HTTPRoute` objects.
 !!! info "Declaring HTTPRoute"

    ```yaml
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: HTTPRoute
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
-      name: http-app-1
+      name: http-app
      namespace: default
-      labels:                                   # [1]
-        app: foo
    spec:
-      hostnames:                                # [2]
-        - "whoami"
-      rules:                                    # [3]
-        - matches:                              # [4]
-            - path:                             # [5]
-                type: Exact                     # [6]
-                value: /bar                     # [7]
-            - headers:                          # [8]
+      parentRefs:                               # [1]
+        - name: my-tcp-gateway                  # [2]
+          namespace: default                    # [3]
+          sectionName: tcp                      # [4] 
+      hostnames:                                # [5]
+        - whoami
+      rules:                                    # [6]
+        - matches:                              # [7]
+            - path:                             # [8]
                type: Exact                     # [9]
-                values:                         # [10]
-                  foo: bar
-          forwardTo:                            # [11]
-            - serviceName: whoami               # [12]
-              weight: 1                         # [13]
-              port: 80                          # [14]
-            - backendRef:                       # [15]
-                group: traefik.containo.us      # [16]
-                kind: TraefikService            # [17]
-                name: api@internal              # [18]
-              port: 80
-              weight: 1
+                value: /bar                     # [10]
+            - headers:                          # [11]
+                name: foo                       # [12]
+                value: bar                      # [13]
+        - backendRefs:                          # [14]
+            - name: whoamitcp                   # [15]
+              weight: 1                         # [16]
+              port: 8080                        # [17]
+            - name: api@internal
+              group: traefik.containo.us        # [18]
+              kind: TraefikService              # [19]
    ```

-| Ref  | Attribute     | Description                                                                                                                                                                                                                                  |
-|------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `labels`      | Labels to match with the `Gateway` labelselector.                                                                                                                                                                                            |
-| [2]  | `hostnames`   | A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.                                                                                                                               |
-| [3]  | `rules`       | A list of HTTP matchers, filters and actions.                                                                                                                                                                                                |
-| [4]  | `matches`     | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied.                                                                  |
-| [5]  | `path`        | An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.                                                                                                                            |
-| [6]  | `type`        | Type of match against the path Value (supported types: `Exact`, `Prefix`).                                                                                                                                                                   |
-| [7]  | `value`       | The value of the HTTP path to match against.                                                                                                                                                                                                 |
-| [8]  | `headers`     | Conditions to select a HTTP route by matching HTTP request headers.                                                                                                                                                                          |
-| [9]  | `type`        | Type of match for the HTTP request header match against the `values` (supported types: `Exact`).                                                                                                                                             |
-| [10] | `values`      | A map of HTTP Headers to be matched. It MUST contain at least one entry.                                                                                                                                                                     |
-| [11] | `forwardTo`   | The upstream target(s) where the request should be sent.                                                                                                                                                                                     |
-| [12] | `serviceName` | The name of the referent service.                                                                                                                                                                                                            |
-| [13] | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).                                                                                                                                   |
-| [14] | `port`        | The port of the referent service.                                                                                                                                                                                                            |
-| [15] | `backendRef`  | The BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only `TraefikService` is supported. |
-| [16] | `group`       | Group is the group of the referent. Only `traefik.containo.us` value is supported.                                                                                                                                                           |
-| [17] | `kind`        | Kind is kind of the referent. Only `TraefikService` value is supported.                                                                                                                                                                      |
-| [18] | `name`        | Name is the name of the referent.                                                                                                                                                                                                            |
+| Ref  | Attribute     | Description                                                                                                                                                                 |
+|------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `parentRefs`  | References the resources (usually Gateways) that a Route wants to be attached to.                                                                                           |
+| [2]  | `name`        | Name of the referent.                                                                                                                                                       |
+| [3]  | `namespace`   | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route.                                                             |
+| [4]  | `sectionName` | Name of a section within the target resource (the Listener name).                                                                                                           |
+| [5]  | `hostnames`   | A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.                                                              |
+| [6]  | `rules`       | A list of HTTP matchers, filters and actions.                                                                                                                               |
+| [7]  | `matches`     | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. |
+| [8]  | `path`        | An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.                                                           |
+| [9]  | `type`        | Type of match against the path Value (supported types: `Exact`, `Prefix`).                                                                                                  |
+| [10] | `value`       | The value of the HTTP path to match against.                                                                                                                                |
+| [11] | `headers`     | Conditions to select a HTTP route by matching HTTP request headers.                                                                                                         |
+| [12] | `type`        | Type of match for the HTTP request header match against the `values` (supported types: `Exact`).                                                                            |
+| [13] | `value`       | A map of HTTP Headers to be matched. It MUST contain at least one entry.                                                                                                    |
+| [14] | `backendRefs` | Defines the backend(s) where matching requests should be sent.                                                                                                              |
+| [15] | `name`        | The name of the referent service.                                                                                                                                           |
+| [16] | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).                                                                  |
+| [17] | `port`        | The port of the referent service.                                                                                                                                           |
+| [18] | `group`       | Group is the group of the referent. Only `traefik.containo.us` and `gateway.networking.k8s.io` values are supported.                                                        |
+| [19] | `kind`        | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported.                                                                                     |

 ### Kind: `TCPRoute`

-`TCPRoute` allows mapping TCP requests from a `Gateway` to Kubernetes Services
+`TCPRoute` allows mapping TCP requests from a `Gateway` to Kubernetes Services.

 Register the `TCPRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
 Kubernetes cluster before creating `TCPRoute` objects.
@@ -253,76 +269,83 @@ Kubernetes cluster before creating `TCPRoute` objects.
 !!! info "Declaring TCPRoute"

    ```yaml
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: TCPRoute
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
-      name: tcp-app-1
+      name: tcp-app
      namespace: default
-      labels:                                   # [1]
-        app: tcp-app-1
    spec:
-      rules:                                    # [2]
-        - forwardTo:                            # [3]
-            - serviceName: whoamitcp            # [4]
-              weight: 1                         # [5]
-              port: 8080                        # [6]
-            - backendRef:                       # [7]
-                group: traefik.containo.us      # [8]
-                kind: TraefikService            # [9]
-                name: api@internal              # [10]
+      parentRefs:                               # [1]
+        - name: my-tcp-gateway                  # [2]
+          namespace: default                    # [3]
+          sectionName: tcp                      # [4]
+      rules:                                    # [5]
+        - backendRefs:                          # [6]
+            - name: whoamitcp                   # [7]
+              weight: 1                         # [8]
+              port: 8080                        # [9]
+            - name: api@internal
+              group: traefik.containo.us        # [10]
+              kind: TraefikService              # [11]
    ```

-| Ref  | Attribute     | Description                                                                                                                                                                                                                                  |
-|------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `labels`      | Labels to match with the `Gateway` labelselector.                                                                                                                                                                                            |
-| [2]  | `rules`       | Rules are a list of TCP matchers and actions.                                                                                                                                                                                                |
-| [3]  | `forwardTo`   | The upstream target(s) where the request should be sent.                                                                                                                                                                                     |
-| [4]  | `serviceName` | The name of the referent service.                                                                                                                                                                                                            |
-| [5]  | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).                                                                                                                                   |
-| [6]  | `port`        | The port of the referent service.                                                                                                                                                                                                            |
-| [7]  | `backendRef`  | The BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only `TraefikService` is supported. |
-| [8]  | `group`       | Group is the group of the referent. Only `traefik.containo.us` value is supported.                                                                                                                                                           |
-| [9]  | `kind`        | Kind is kind of the referent. Only `TraefikService` value is supported.                                                                                                                                                                      |
-| [10] | `name`        | Name is the name of the referent.                                                                                                                                                                                                            |
+| Ref  | Attribute     | Description                                                                                                          |
+|------|---------------|----------------------------------------------------------------------------------------------------------------------|
+| [1]  | `parentRefs`  | References the resources (usually Gateways) that a Route wants to be attached to.                                    |
+| [2]  | `name`        | Name of the referent.                                                                                                |
+| [3]  | `namespace`   | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route.      |
+| [4]  | `sectionName` | Name of a section within the target resource (the Listener name).                                                    |
+| [5]  | `rules`       | Rules are a list of TCP matchers and actions.                                                                        |
+| [6]  | `backendRefs` | Defines the backend(s) where matching requests should be sent.                                                       |
+| [7]  | `name`        | The name of the referent service.                                                                                    |
+| [8]  | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).           |
+| [9]  | `port`        | The port of the referent service.                                                                                    |
+| [10] | `group`       | Group is the group of the referent. Only `traefik.containo.us` and `gateway.networking.k8s.io` values are supported. |
+| [11] | `kind`        | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported.                              |

 ### Kind: `TLSRoute`

-`TLSRoute` allows mapping TLS requests from a `Gateway` to Kubernetes Services
+`TLSRoute` allows mapping TLS requests from a `Gateway` to Kubernetes Services.

 Register the `TLSRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
 Kubernetes cluster before creating `TLSRoute` objects.

-!!! info "Declaring TCPRoute"
+!!! info "Declaring TLSRoute"

    ```yaml
+    apiVersion: gateway.networking.k8s.io/v1alpha2
    kind: TLSRoute
-    apiVersion: networking.x-k8s.io/v1alpha1
    metadata:
-      name: tls-app-1
+      name: tls-app
      namespace: default
-      labels:                                   # [1]
-        app: tls-app-1
    spec:
-      rules:                                    # [2]
-        - forwardTo:                            # [3]
-            - serviceName: whoamitcp            # [4]
-              weight: 1                         # [5]
-              port: 8080                        # [6]
-            - backendRef:                       # [7]
-                group: traefik.containo.us      # [8]
-                kind: TraefikService            # [9]
-                name: api@internal              # [10]
+      parentRefs:                               # [1]
+        - name: my-tls-gateway                  # [2]
+          namespace: default                    # [3]
+          sectionName: tcp                      # [4]
+      hostnames:                                # [5]
+        - whoami                                
+      rules:                                    # [6]
+        - backendRefs:                          # [7]
+            - name: whoamitcp                   # [8]
+              weight: 1                         # [9]
+              port: 8080                        # [10]
+            - name: api@internal
+              group: traefik.containo.us        # [11]
+              kind: TraefikService              # [12]
    ```

-| Ref  | Attribute     | Description                                                                                                                                                                                                                                  |
-|------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `labels`      | Labels to match with the `Gateway` labelselector.                                                                                                                                                                                            |
-| [2]  | `rules`       | Rules are a list of TCP matchers and actions.                                                                                                                                                                                                |
-| [3]  | `forwardTo`   | The upstream target(s) where the request should be sent.                                                                                                                                                                                     |
-| [4]  | `serviceName` | The name of the referent service.                                                                                                                                                                                                            |
-| [5]  | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).                                                                                                                                   |
-| [6]  | `port`        | The port of the referent service.                                                                                                                                                                                                            |
-| [7]  | `backendRef`  | The BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only `TraefikService` is supported. |
-| [8]  | `group`       | Group is the group of the referent. Only `traefik.containo.us` value is supported.                                                                                                                                                           |
-| [9]  | `kind`        | Kind is kind of the referent. Only `TraefikService` value is supported.                                                                                                                                                                      |
-| [10] | `name`        | Name is the name of the referent.                                                                                                                                                                                                            |
+| Ref  | Attribute     | Description                                                                                                          |
+|------|---------------|----------------------------------------------------------------------------------------------------------------------|
+| [1]  | `parentRefs`  | References the resources (usually Gateways) that a Route wants to be attached to.                                    |
+| [2]  | `name`        | Name of the referent.                                                                                                |
+| [3]  | `namespace`   | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route.      |
+| [4]  | `sectionName` | Name of a section within the target resource (the Listener name).                                                    |
+| [5]  | `hostnames`   | Defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake.  |
+| [6]  | `rules`       | Rules are a list of TCP matchers and actions.                                                                        |
+| [7]  | `backendRefs` | Defines the backend(s) where matching requests should be sent.                                                       |
+| [8]  | `name`        | The name of the referent service.                                                                                    |
+| [9]  | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).           |
+| [10] | `port`        | The port of the referent service.                                                                                    |
+| [11] | `group`       | Group is the group of the referent. Only `traefik.containo.us` and `gateway.networking.k8s.io` values are supported. |
+| [12] | `kind`        | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported.                              |
--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@@ -141,7 +141,7 @@ which in turn will create the resulting routers, services, handlers, etc.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.5
+              image: traefik:v2.7
              args:
                - --entrypoints.web.address=:80
                - --providers.kubernetesingress
@@ -532,7 +532,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.5
+              image: traefik:v2.7
              args:
                - --entrypoints.websecure.address=:443
                - --entrypoints.websecure.http.tls
@@ -741,7 +741,7 @@ For more options, please refer to the available [annotations](#on-ingress).
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.5
+              image: traefik:v2.7
              args:
                - --entrypoints.websecure.address=:443
                - --providers.kubernetesingress
--- a/docs/content/routing/providers/kv.md
+++ b/docs/content/routing/providers/kv.md
@@ -366,7 +366,6 @@ You can declare TCP Routers and/or Services using KV.
    | Key (Path)                                    | Value    |
    |-----------------------------------------------|----------|
    | `traefik/tcp/routers/mytcprouter/tls/options` | `foobar` |
-    

 ??? info "`traefik/tcp/routers/<router_name>/tls/passthrough`"

@@ -376,6 +375,14 @@ You can declare TCP Routers and/or Services using KV.
    |---------------------------------------------------|--------|
    | `traefik/tcp/routers/mytcprouter/tls/passthrough` | `true` |

+??? info "`traefik/tcp/routers/<router_name>/priority`"
+
+    See [priority](../routers/index.md#priority_1) for more information.
+
+    | Key (Path)                               | Value |
+    |------------------------------------------|-------|
+    | `traefik/tcp/routers/myrouter/priority`  | `42`  |
+
 #### TCP Services

 ??? info "`traefik/tcp/services/<service_name>/loadbalancer/servers/<n>/url`"
--- a/docs/content/routing/providers/marathon.md
+++ b/docs/content/routing/providers/marathon.md
@@ -412,6 +412,14 @@ You can declare TCP Routers and/or Services using labels.
    "traefik.tcp.routers.mytcprouter.tls.passthrough": "true"
    ```

+??? info "`traefik.tcp.routers.<router_name>.priority`"
+
+    See [priority](../routers/index.md#priority_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.myrouter.priority": "42"
+    ```
+
 #### TCP Services

 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
--- a/docs/content/routing/providers/rancher.md
+++ b/docs/content/routing/providers/rancher.md
@@ -415,6 +415,14 @@ You can declare TCP Routers and/or Services using labels.
    - "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
    ```

+??? info "`traefik.tcp.routers.<router_name>.priority`"
+
+    See [priority](../routers/index.md#priority_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.myrouter.priority=42"
+    ```
+
 #### TCP Services

 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	a49b537d9c	Prepare release v2.7.0-rc2	2022-03-29 17:00:09 +02:00
romain	45328ab719	Merge v2.6 into v2.7	2022-03-29 15:43:10 +02:00
Tom Moulard	4b755dc58d	Prepare release v2.6.3	2022-03-29 15:00:09 +02:00
Romain	0f29e893f4	Return TLS unrecognized_name error when no certificate is available	2022-03-28 18:18:08 +02:00
Michael	e3adf93a74	fix: CI release	2022-03-28 17:36:07 +02:00
Tom Moulard	81f88dd998	Freeze python dependencies	2022-03-28 16:22:10 +02:00
Ludovic Fernandez	b6bfa905db	Fix slice parsing for plugins	2022-03-28 15:24:08 +02:00
Jean-Baptiste Doumenjou	c0b0f3f0f7	Fix hub tls documentation	2022-03-25 15:42:08 +01:00
Tom Moulard	16d7b89cb1	Fixing dependency to build doc	2022-03-24 21:40:08 +01:00
Tom Moulard	a4560fa20d	Prepare release v2.7.0-rc1	2022-03-24 20:54:08 +01:00
Jean-Baptiste Doumenjou	fbdb6e6e78	Add Traefik Hub Integration (Experimental Feature)	2022-03-24 19:44:08 +01:00
romain	8d58f33a28	Merge v2.6 into master	2022-03-24 17:22:56 +01:00
Romain	9398222db7	Prepare release v2.6.2	2022-03-24 17:14:57 +01:00
Douglas De Toni Machado	d2a2362be5	Add a Feature Deprecation page	2022-03-24 12:28:07 +01:00
Ludovic Fernandez	4c0a3721d0	Plugins and token	2022-03-24 08:54:07 +01:00
Nikolay Stankov	ba2d09f6fb	Update entrypoint.md to add consistent CLI syntax	2022-03-23 10:38:09 +01:00
Nick Reilingh	7243e65b51	Fix certificates resolver typo	2022-03-23 09:26:08 +01:00
Tom Moulard	3bf4a8fbe2	Merge current v2.6 into master	2022-03-22 15:55:44 +01:00
Ludovic Fernandez	23a6602cbf	Bump paerser to v0.1.5	2022-03-22 11:04:08 +01:00
J.Winter	822b94c45d	Add default certificate definition example for Kubernetes	2022-03-22 09:56:07 +01:00
lczw	0a776c3fd5	Fix small typo in Redis provider documentation	2022-03-21 17:32:07 +01:00
Tom Moulard	d7378a96ad	chore: update linter	2022-03-21 10:42:08 +01:00
Wingy	db4c6111fd	Fix fenced code block typo in Buffering middleware page	2022-03-21 10:10:08 +01:00
Romain	2da7fa0397	Add HostSNIRegexp rule matcher for TCP	2022-03-18 16:04:08 +01:00
Tom Moulard	0d58e8d1ad	Add Traefik Hub access and remove Pilot access	2022-03-18 11:06:08 +01:00
Daniel Tomcej	dad76e0478	Add muxer for TCP Routers	2022-03-17 18:02:08 +01:00
Tom Moulard	79aab5aab8	Add Failover service Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-03-17 12:02:09 +01:00
Douglas De Toni Machado	b02c651961	Add a deprecation notices section	2022-03-17 10:28:09 +01:00
Nick Reilingh	0617a1b0e0	Fix routing overview examples	2022-03-16 15:00:08 +01:00
Nick Reilingh	06749e71f2	Clarify concepts documentation page	2022-03-15 15:38:08 +01:00
Tom Moulard	6622027c7c	Merge current v2.6 into master	2022-03-11 10:07:20 +01:00
Tchoupinax	401c171bbd	Add a link to service on router detail view	2022-03-07 16:16:08 +01:00
mpl	a1e766e180	doc: fix, docker uses Label(), not Tag()	2022-03-07 11:48:09 +01:00
Tom Moulard	63bb770b9c	Allow empty services in Kubernetes CRD	2022-03-07 11:08:07 +01:00
Tom Moulard	b3de9a040b	Add a target that is a real resource to generate-webui	2022-03-04 15:28:07 +01:00
Romain	a59dbc4c79	Adjust rule length in routers documentation	2022-03-04 11:24:07 +01:00
Kevin Pollet	40deefa868	Fix HostRegexp examples	2022-03-04 10:50:07 +01:00
mloiseleur	491de0cf64	Enhance doc on static vs dynamic configuration	2022-03-03 20:18:07 +01:00
Tom Moulard	c7b24f4e9c	Replace npm with yarn to install/run the webui	2022-03-03 18:08:07 +01:00
mpl	27a7563e33	Add simpler and faster debug Makefile target	2022-03-03 15:42:08 +01:00
Tom Moulard	25725e9b2f	Merge current v2.6 into master	2022-02-21 14:07:27 +01:00
Josh Soref	819de02101	Spelling	2022-02-21 12:40:09 +01:00
Tom Moulard	ce851a5929	Fix struct tag typo	2022-02-21 12:10:08 +01:00
0xflotus	7e390ef516	Fix brand typo	2022-02-21 10:50:08 +01:00
Romain	fb23bd5d26	Fix empty WebUI static assets directory	2022-02-18 15:44:08 +01:00
Ludovic Fernandez	6974f54bfd	docs: fix product name	2022-02-15 17:04:34 +01:00
Kevin Pollet	aaf5aa4506	Configure advertised port using h3 server option Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-02-15 16:04:09 +01:00
Ludovic Fernandez	371b6e3c86	chore: update linter	2022-02-15 14:56:53 +01:00
Sylvain Rabot	9297055ad8	Upgrade quic-go to v0.25.0	2022-02-15 10:16:08 +01:00
Sakala Venkata Krishna Rohit	9e96089da6	Add s390x arch support	2022-02-15 10:08:08 +01:00
Tom Moulard	a79868fadc	Merge current v2.6 into master	2022-02-15 09:09:16 +01:00
Tom Moulard	84a0810546	Prepare release v2.6.1	2022-02-14 17:44:08 +01:00
Ludovic Fernandez	d9fbb5e25c	Use CNAME for SNI check on host header Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-02-14 17:18:08 +01:00
Ludovic Fernandez	e97aa6515b	Update test certificates	2022-02-14 14:08:07 +01:00
luckielordie	6bcfba43c8	Rename Datadog span tags	2022-02-10 16:00:09 +01:00
Ludovic Fernandez	0c83ee736c	Apply the same approach as the rules system on the TLS configuration choice Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-02-10 10:42:07 +01:00
Dmitry Sharshakov	ca55dfe1c6	Support InfluxDB v2 metrics backend	2022-02-09 15:32:12 +01:00
Tom Moulard	4da33c2bc2	Fix metrics bucket key high cardinality	2022-02-09 09:58:08 +01:00
Sylvain Rabot	2d56be0ebb	Fix Kubernetes TCP examples	2022-02-07 15:22:07 +01:00
Richard Kojedzinszky	5780dc2b15	Refactor configuration reload/throttling Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-02-07 11:58:04 +01:00
Tom Moulard	764bf59d4d	Merge current v2.6 into master	2022-02-04 14:32:57 +01:00
Tom Moulard	6742dd8454	Fix mixups in metrics documentation	2022-02-03 15:16:12 +01:00
Vladislav Shub	3ac755bd2f	Add Hurricane Electric to acme documentation	2022-01-31 13:30:05 +01:00
JasonWang2016	7543709ecf	Watch for Consul events to rebuild the dynamic configuration Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-01-28 17:16:07 +01:00
Ludovic Fernandez	3ed72c4e46	Add domain to HTTP challenge errors	2022-01-27 10:58:04 +01:00
mpl	477fa15859	Clarify that ACME challenge is mandatory	2022-01-26 18:10:05 +01:00
kevinpollet	1048348ae6	Merge current v2.6 into master	2022-01-25 18:19:40 +01:00
Manuel Zapf	390eb9cb61	Explain a bit more around enabling HTTP3	2022-01-25 10:48:05 +01:00
Romain	5a1c936ede	Prepare release v2.6.0	2022-01-24 17:58:04 +01:00
romain	47ad6538f1	Merge current v2.5 into v2.6	2022-01-24 15:42:27 +01:00
Kevin Pollet	9be44d8330	Configure Consul Catalog namespace at client level Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-01-24 15:30:05 +01:00
Ali	a4b354b33f	Redact credentials before logging Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-01-24 11:08:05 +01:00
Philippos Slicher	a70b864c55	Fix typo in metrics overview page	2022-01-21 09:54:07 +01:00
Romain	3bd5fc0f90	Prepare release v2.6.0-rc3	2022-01-20 18:58:07 +01:00
Tom Moulard	aabfb792af	Merge current v2.5 into v2.6	2022-01-20 17:44:55 +01:00
Romain	e5e48d1cc1	Prepare release v2.5.7	2022-01-20 17:08:07 +01:00
Tom Moulard	42a110dd69	Adjust log level from info to debug Co-authored-by: rhtenhove <rhtenhove@users.noreply.github.com>	2022-01-20 12:36:08 +01:00
Tom Moulard	64af364b02	Merge current v2.5 into v2.6	2022-01-20 09:48:51 +01:00
Ludovic Fernandez	cf14b8fa92	Update go-acme/lego to v4.6.0	2022-01-20 09:38:07 +01:00
Kevin Pollet	e7dc6ec025	Fix HTTP provider endpoint config example	2022-01-19 19:50:05 +01:00
Kevin Pollet	f29e311b73	Support token authentication for Consul KV	2022-01-19 17:46:11 +01:00
romain	a914ce2bd2	docs: fix instana tracer documentation link	2022-01-19 16:35:06 +01:00
romain	b42a7c89e7	Merge current v2.5 into v2.6	2022-01-19 16:16:18 +01:00
Romain	67483c1b17	Exclude www.cloudxns.net from documentation verification	2022-01-19 16:10:08 +01:00
mpl	4071f1e7f2	Mitigate memory leak	2022-01-17 14:28:05 +01:00
Ludovic Fernandez	577709fff3	fix: middleware plugins memory leak Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-01-14 12:22:06 +01:00
Tom Moulard	8cd45476ac	Fix middleware regexp's display	2022-01-13 18:38:06 +01:00
Tom Moulard	cf14504fd5	Prepare release v2.6.0-rc2	2022-01-12 16:40:06 +01:00
Kevin Pollet	b84829336d	Support Consul KV Enterprise namespaces Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-01-12 14:42:21 +01:00
Tom Moulard	ba822acb23	Merge current v2.6 into master	2022-01-10 16:17:25 +01:00
Andrii Kushch	d969e59911	Upgrade Instana tracer dependency	2022-01-10 16:08:20 +01:00
Tom Moulard	936b6148ff	Merge current v2.5 into v2.6	2022-01-10 14:43:25 +01:00
Martin Rauscher	a9776ceafc	Improve regexp matcher documentation	2022-01-10 14:32:04 +01:00
Colin Wilson	e471239955	Remove typo in Kubernetes providers labelSelector examples	2022-01-06 11:58:07 +01:00
Kevin Pollet	2e8156bfaa	Update copyright for 2022	2022-01-06 11:34:05 +01:00
Tom Moulard	f5dd233a3b	Merge current v2.6 into master	2021-12-29 17:35:32 +01:00
Tom Moulard	48ce6c32c1	Remove go-bindata from semaphore	2021-12-29 17:32:06 +01:00
Tom Moulard	4990239855	Merge current v2.5 into v2.6	2021-12-29 15:08:51 +01:00
Tom Moulard	5e2c929322	Fix broken jaeger documentation link	2021-12-29 15:06:04 +01:00
Tom Moulard	2b5355c849	Update golangci-lint install script	2021-12-23 15:44:05 +01:00
Romain	f21f71786a	Prepare release v2.5.6	2021-12-22 17:22:04 +01:00
Tom Moulard	fc7f109cb2	Merge current v2.5 into v2.6	2021-12-22 15:02:51 +01:00
Tom Moulard	a711f0d037	fix: update goreleaser install link to use gist	2021-12-22 14:12:04 +01:00
Ludovic Fernandez	98fc6ca441	Update Yaegi to v0.11.2	2021-12-22 09:24:05 +01:00
ichx	c10f1a3a36	Add missing API endpoints documentation	2021-12-21 14:48:05 +01:00
Tom Moulard	da092e653d	Prepare release v2.6.0-rc1	2021-12-20 17:02:06 +01:00
Tom Moulard	bf29417136	Merge current v2.5 into master	2021-12-20 14:43:35 +01:00
Douglas De Toni Machado	79a14ce992	Fix passTLSClientCert CRD example name	2021-12-18 00:52:04 +01:00
Alestrix	99ce26f7b1	Correct documentation in middleware overview	2021-12-17 16:24:06 +01:00
Kevin Pollet	16250361c3	chore: update golang.org/x/net dependency version	2021-12-16 11:52:04 +01:00
Kevin Pollet	be44385b42	fix: process all X-Forwarded-For headers in the request	2021-12-14 15:36:07 +01:00
Tom Moulard	54c77ecb54	Prepare release v2.5.5	2021-12-10 17:52:04 +01:00
tfny	a30f0dcabd	Update CODE_OF_CONDUCT.md	2021-12-09 11:00:06 +01:00
Ludovic Fernandez	efef7dce4f	plugins: start the go routine before calling Provide	2021-12-08 17:08:05 +01:00
Tom Moulard	1c9e4c6050	doc: align docker configuration example notes in basicauth HTTP middleware	2021-12-07 10:04:05 +01:00
Tom Moulard	89cd9e8ddd	Merge current v2.5 into master	2021-12-06 17:39:06 +01:00
Markus Lippert	92093a8c09	Update go-acme/lego to v4.5.3	2021-12-06 15:44:04 +01:00
Kevin Pollet	d970813c20	Support consul enterprise namespaces in consul catalog provider Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-12-03 19:30:07 +01:00
Kevin Pollet	f69982aa9d	docs: uniformize client TLS config documentation	2021-12-02 15:42:06 +01:00
Tom Moulard	82fdc569c2	docs: removing typo in consul-catalog provider doc	2021-12-01 15:58:05 +01:00
Tom Moulard	def0c1a526	Update yaegi to v0.11.1	2021-11-30 17:36:06 +01:00
Tom Moulard	93de7cf0c0	feat: add in flight connection middleware	2021-11-29 17:12:06 +01:00
Romain Bailly	ef2d03d96e	fix: propagate source criterion config to RateLimit middleware in Kubernetes CRD	2021-11-26 12:10:11 +01:00
Kevin Pollet	321c9421ea	chore: update docker/cli and containerd dependency versions	2021-11-25 15:34:06 +01:00
Charlie Haley	5a225b4196	test: upgrade docker-compose Co-authored-by: Rémi Buisson <remi.buisson@traefik.io>	2021-11-25 11:10:06 +01:00
Pierre-Yves Aillet	95fabeae73	feat: rate-limit ceil Retry-After to superior integer	2021-11-16 16:38:11 +01:00
Gustavo Silva	525a6cf5b2	docs: remove misleading metrics overview configuration	2021-11-16 09:38:12 +01:00
Julien Acroute	27ec0912d5	docs: health check use readiness probe in k8s	2021-11-15 11:14:06 +01:00
Daniel Adams	83a7f10c75	Refactor Exponential Backoff	2021-11-10 15:34:10 +01:00
Pablo Montepagano	0a5c9095ac	feat: allow configuration of ACME certificates duration	2021-11-10 12:06:09 +01:00
kerrsmith	0a31225e65	fixed minor spelling error in Regexp Syntax section	2021-11-09 16:50:11 +01:00
Kevin Pollet	db4a92d877	fix: increase UDP read buffer length to max datagram size Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-11-09 15:12:07 +01:00
Ludovic Fernandez	9df053e3f5	Update yaegi v0.11.0	2021-11-09 14:30:09 +01:00
Tom Moulard	1f17731369	feat: add readIdleTimeout and pingTimeout config options to ServersTransport Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2021-11-09 12:16:08 +01:00
Kevin Pollet	8e32d1913b	Update gateway api provider to v1alpha2 Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-11-09 11:34:06 +01:00
Tom Moulard	e10a82a501	fix: git ignore autogen/	2021-11-09 03:48:13 +01:00
kevinpollet	ce47f200d5	Merge branch v2.5 into master	2021-11-08 22:41:43 +01:00
Huan Wang	85dd45cb81	Add prefix to datadog metrics	2021-10-06 17:34:07 +02:00
kevinpollet	32340252b2	Merge branch v2.5 into master	2021-10-06 11:55:12 +02:00
Tom Moulard	969dd088a2	gateway api: support RouteNamespaces Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-10-04 15:46:08 +02:00
Andrii Kushch	9ef3fc84f9	Upgrade Instana tracer and make process profiling configurable	2021-09-29 11:52:08 +02:00
Tom Moulard	380514941c	Merge current v2.5 into master	2021-09-23 16:10:03 +02:00
Lukas Schulte Pelkum	07a3c37a23	Implement customizable minimum body size for compress middleware	2021-09-20 18:00:08 +02:00
Harald Kraemer	8f0832d340	Add configurable tags to influxdb metrics	2021-09-17 09:08:07 +02:00
Kevin Pollet	2084201c8f	fix: experimental image build Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-09-15 12:10:06 +02:00
Antoine	70359e5d27	Replace go-bindata with Go embed Co-authored-by: nrwiersma <nick@wiersma.co.za>	2021-09-15 10:36:14 +02:00
Daniel Tomcej	7ff13c3e3e	Support Kubernetes basic-auth secrets Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-09-14 15:16:11 +02:00
valerauko	60ff50a675	Add HTTP3Config	2021-09-10 14:58:13 +02:00
Jean-Baptiste Doumenjou	ba3967aa16	Merge current v2.5 into master	2021-09-10 12:00:24 +02:00
romain	4235cef1b2	Merge current v2.5 into master	2021-09-03 09:13:34 +02:00
romain	f81ceaef8a	Merge current v2.5 into master	2021-08-30 14:51:57 +02:00
Eric	817ac8f256	Add organizationalUnit to passtlscert middleware	2021-07-28 17:42:09 +02:00
romain	c76d58d532	Merge current v2.5 into master	2021-07-28 15:21:46 +02:00
Tom Moulard	f25139424a	Merge remote-tracking branch 'origin/v2.5' into merge-back-v2.5-into-master	2021-07-23 13:14:26 +02:00
romain	36ffdf548d	Merge v2.5 into master	2021-07-20 15:38:53 +02:00
romain	ca2ff214c4	Merge current v2.5 into master	2021-06-30 11:56:49 +02:00