Merge branch 'v3.0' of github.com:traefik/traefik

Signed-off-by: baalajimaestro <me@baalajimaestro.me>

.golangci.yml

@@ -150,18 +150,14 @@ linters-settings:
       - github.com/jaguilar/vt100
       - github.com/cucumber/godog
   testifylint:
-    enable:
+    disable:
-      - bool-compare
+      - suite-dont-use-pkg
-      - compares
+      - require-error
-      - empty
+      - go-require
-      - error-is-as
+  staticcheck:
-      - error-nil
+    checks:
-      - expected-actual
+      - all
-      - float-compare
+      - -SA1019
-      - len
-      - suite-extra-assert-call
-      - suite-thelper
-
 linters:
   enable-all: true
   disable:
@@ -216,11 +212,12 @@ linters:
 
 issues:
   exclude-use-default: false
-  max-per-linter: 0
+  max-issues-per-linter: 0
   max-same-issues: 0
   exclude:
     - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
     - "should have a package comment, unless it's in another file for this package"
+    - 'fmt.Sprintf can be replaced with string addition'
   exclude-rules:
     - path: '(.+)_test.go'
       linters:

.semaphore/semaphore.yml

@@ -19,13 +19,13 @@ global_job_config:
   prologue:
     commands:
       - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.21
+      - sudo semgo go1.22
       - export "GOPATH=$(go env GOPATH)"
       - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.55.2
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.56.0
       - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - checkout
       - cache restore traefik-$(checksum go.sum)

CHANGELOG.md

@@ -1,3 +1,13 @@
+## [v2.11.0-rc2](https://github.com/traefik/traefik/tree/v2.11.0-rc2) (2024-01-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.0-rc1...v2.11.0-rc2)
+
+**Bug fixes:**
+- **[middleware,tcp]** Add missing TCP IPAllowList middleware constructor ([#10331](https://github.com/traefik/traefik/pull/10331) by [youkoulayley](https://github.com/youkoulayley))
+- **[nomad]** Update the Nomad API dependency to v1.7.2 ([#10327](https://github.com/traefik/traefik/pull/10327) by [jrasell](https://github.com/jrasell))
+
+**Documentation:**
+- Improve Concepts documentation page ([#10315](https://github.com/traefik/traefik/pull/10315) by [oliver-dvorski](https://github.com/oliver-dvorski))
+
 ## [v2.11.0-rc1](https://github.com/traefik/traefik/tree/v2.11.0-rc1) (2024-01-02)
 [All Commits](https://github.com/traefik/traefik/compare/0a7964300166d167f68d5502bc245b3b9c8842b4...v2.11.0-rc1)
 

Makefile

@@ -22,40 +22,41 @@ LINT_EXECUTABLES = misspell shellcheck
 DOCKER_BUILD_PLATFORMS ?= linux/amd64,linux/arm64
 
 .PHONY: default
+#? default: Run `make generate` and `make binary`
 default: generate binary
 
-## Create the "dist" directory
+#? dist: Create the "dist" directory
 dist:
 	mkdir -p dist
 
-## Build WebUI Docker image
 .PHONY: build-webui-image
+#? build-webui-image: Build WebUI Docker image
 build-webui-image:
 	docker build -t traefik-webui -f webui/Dockerfile webui
 
-## Clean WebUI static generated assets
 .PHONY: clean-webui
+#? clean-webui: Clean WebUI static generated assets
 clean-webui:
 	rm -r webui/static
 	mkdir -p webui/static
 	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
 
-## Generate WebUI
 webui/static/index.html:
 	$(MAKE) build-webui-image
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
 
 .PHONY: generate-webui
+#? generate-webui: Generate WebUI
 generate-webui: webui/static/index.html
 
-## Generate code
 .PHONY: generate
+#? generate: Generate code (Dynamic and Static configuration documentation reference files)
 generate:
 	go generate
 
-## Build the binary
 .PHONY: binary
+#? binary: Build the binary
 binary: generate-webui dist
 	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
 	CGO_ENABLED=0 GOGC=off GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
@@ -80,38 +81,39 @@ binary-windows-amd64: export BIN_NAME := traefik.exe
 binary-windows-amd64:
 	@$(MAKE) binary
 
-## Build the binary for the standard platforms (linux, darwin, windows)
 .PHONY: crossbinary-default
+#? crossbinary-default: Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate generate-webui
 	$(CURDIR)/script/crossbinary-default.sh
 
-## Run the unit and integration tests
 .PHONY: test
+#? test: Run the unit and integration tests
 test: test-unit test-integration
 
-## Run the unit tests
 .PHONY: test-unit
+#? test-unit: Run the unit tests
 test-unit:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test -cover "-coverprofile=cover.out" -v $(TESTFLAGS) ./pkg/... ./cmd/...
 
-## Run the integration tests
 .PHONY: test-integration
+#? test-integration: Run the integration tests
 test-integration: binary
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
 
-## Run the conformance tests
 .PHONY: test-gateway-api-conformance
+#? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: binary
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
 
 ## TODO: Need to be fixed to work in all situations.
-## Run the conformance tests
 .PHONY: test-gateway-api-conformance-ci
+#? test-gateway-api-conformance-ci: Run the conformance tests
 test-gateway-api-conformance-ci:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
 
-## Pull all Docker images to avoid timeout during integration tests
+
 .PHONY: pull-images
+#? pull-images: Pull all Docker images to avoid timeout during integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml \
 		| awk '{print $$2}' \
@@ -119,21 +121,21 @@ pull-images:
 		| uniq \
 		| xargs -P 6 -n 1 docker pull
 
-## Lint run golangci-lint
 .PHONY: lint
+#? lint: Run golangci-lint
 lint:
 	golangci-lint run
 
-## Validate code and docs
 .PHONY: validate-files
+#? validate-files: Validate code and docs
 validate-files: lint
 	$(foreach exec,$(LINT_EXECUTABLES),\
             $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
 	$(CURDIR)/script/validate-misspell.sh
 	$(CURDIR)/script/validate-shell-script.sh
 
-## Validate code, docs, and vendor
 .PHONY: validate
+#? validate: Validate code, docs, and vendor
 validate: lint
 	$(foreach exec,$(EXECUTABLES),\
             $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
@@ -147,51 +149,57 @@ multi-arch-image-%: binary-linux-amd64 binary-linux-arm64
 	docker buildx build $(DOCKER_BUILDX_ARGS) -t traefik/traefik:$* --platform=$(DOCKER_BUILD_PLATFORMS) -f Dockerfile .
 
 
-## Clean up static directory and build a Docker Traefik image
 .PHONY: build-image
+#? build-image: Clean up static directory and build a Docker Traefik image
 build-image: export DOCKER_BUILDX_ARGS := --load
 build-image: export DOCKER_BUILD_PLATFORMS := linux/$(GOARCH)
 build-image: clean-webui
 	@$(MAKE) multi-arch-image-latest
 
-## Build a Docker Traefik image without re-building the webui when it's already built
 .PHONY: build-image-dirty
+#? build-image-dirty: Build a Docker Traefik image without re-building the webui when it's already built
 build-image-dirty: export DOCKER_BUILDX_ARGS := --load
 build-image-dirty: export DOCKER_BUILD_PLATFORMS := linux/$(GOARCH)
 build-image-dirty:
 	@$(MAKE) multi-arch-image-latest
 
-## Build documentation site
 .PHONY: docs
+#? docs: Build documentation site
 docs:
 	make -C ./docs docs
 
-## Serve the documentation site locally
 .PHONY: docs-serve
+#? docs-serve: Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve
 
-## Pull image for doc building
 .PHONY: docs-pull-images
+#? docs-pull-images: Pull image for doc building
 docs-pull-images:
 	make -C ./docs docs-pull-images
 
-## Generate CRD clientset and CRD manifests
 .PHONY: generate-crd
+#? generate-crd: Generate CRD clientset and CRD manifests
 generate-crd:
 	@$(CURDIR)/script/code-gen-docker.sh
 
-## Generate code from dynamic configuration https://github.com/traefik/genconf
 .PHONY: generate-genconf
+#? generate-genconf: Generate code from dynamic configuration github.com/traefik/genconf
 generate-genconf:
 	go run ./cmd/internal/gen/
 
-## Create packages for the release
 .PHONY: release-packages
+#? release-packages: Create packages for the release
 release-packages: generate-webui
 	$(CURDIR)/script/release-packages.sh
 
-## Format the Code
 .PHONY: fmt
+#? fmt: Format the Code
 fmt:
 	gofmt -s -l -w $(SRCS)
+
+.PHONY: help
+#? help: Get more info on make commands
+help: Makefile
+	@echo " Choose a command run in traefik:"
+	@sed -n 's/^#?//p' $< | column -t -s ':' |  sort | sed -e 's/^/ /'

README.md

@@ -72,6 +72,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [ECS](https://doc.traefik.io/traefik/providers/ecs/)
 - [File](https://doc.traefik.io/traefik/providers/file/)
 
 ## Quickstart

cmd/traefik/traefik.go

@@ -193,10 +193,13 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
 
-	// Metrics
+	// Observability
 
 	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
+	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, accessLog, tracer, tracerCloser)
 
 	// Entrypoints
 
@@ -263,14 +266,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
 	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, roundTripperManager, acmeHTTPHandler)
 
 	// Router factory
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
 
-	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
-	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry, dialerManager)
 
 	// Watcher
 
@@ -351,7 +351,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	})
 
-	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog, tracerCloser), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, observabilityMgr), nil
 }
 
 func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
@@ -520,15 +520,14 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 		}
 	}
 
-	if metricsConfig.OpenTelemetry != nil {
+	if metricsConfig.OTLP != nil {
 		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
 
-		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OpenTelemetry)
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OTLP)
 		if openTelemetryRegistry != nil {
 			registries = append(registries, openTelemetryRegistry)
 			logger.Debug().
-				Str("address", metricsConfig.OpenTelemetry.Address).
+				Str("pushInterval", metricsConfig.OTLP.PushInterval.String()).
-				Str("pushInterval", metricsConfig.OpenTelemetry.PushInterval.String()).
 				Msg("Configured OpenTelemetry metrics")
 		}
 	}

docs/content/https/acme.md

@@ -313,7 +313,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
 | [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
 | [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
-| [ArvanCloud](https://www.arvancloud.ir/en)                            | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
+| [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Azure](https://azure.microsoft.com/services/dns/)  (DEPRECATED)       | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
@@ -361,6 +361,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
+| [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
 | [Hurricane Electric](https://dns.he.net)                               | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
 | [HyperOne](https://www.hyperone.com)                                   | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                    | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
@@ -426,6 +427,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
 | [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [Webnames](https://www.webnames.ru/)                                   | `webnames`         | `WEBNAMES_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/webnames)         |
 | [Websupport](https://websupport.sk)                                    | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
 | [WEDOS](https://www.wedos.com)                                         | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
 | [Yandex 360](https://360.yandex.ru)                                    | `yandex360`        | `YANDEX360_OAUTH_TOKEN`, `YANDEX360_ORG_ID`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/yandex360)        |

docs/content/middlewares/http/circuitbreaker.md

@@ -85,6 +85,7 @@ At specified intervals (`checkPeriod`), the circuit breaker evaluates `expressio
 ### Open
 
 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
+The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
 After this duration, it enters the recovering state.
 
 ### Recovering
@@ -179,3 +180,9 @@ The duration for which the circuit breaker will wait before trying to recover (f
 _Optional, Default="10s"_
 
 The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
+
+### `ResponseCode`
+
+_Optional, Default="503"_
+
+The status code that the circuit breaker will return while it is in the open state.

docs/content/middlewares/http/contenttype.md

@@ -52,3 +52,16 @@ http:
 [http.middlewares]
   [http.middlewares.autodetect.contentType]
 ```
+
+## Configuration Options
+
+### `autoDetect`
+
+!!! warning
+
+    `autoDetect` option is deprecated and should not be used.
+    Moreover, it is redundant with an empty ContentType middleware declaration.
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/http/headers.md

@@ -314,11 +314,43 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.
 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 
+### `sslRedirect`
+
+!!! warning
+
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
+
+The `sslRedirect` only allow HTTPS requests when set to `true`.
+
+### `sslTemporaryRedirect`
+
+!!! warning
+
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
+
+Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
+
+### `sslHost`
+
+!!! warning
+
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
+
+The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
+
 ### `sslProxyHeaders`
 
 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
 
+### `sslForceHost`
+
+!!! warning
+
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
+
+Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
+
 ### `stsSeconds`
 
 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -370,6 +402,14 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates
 
 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
 
+### `featurePolicy`
+
+!!! warning
+
+    Deprecated in favor of [`permissionsPolicy`](#permissionsPolicy)
+
+The `featurePolicy` allows sites to control browser features.
+
 ### `permissionsPolicy`
 
 The `permissionsPolicy` allows sites to control browser features.

docs/content/middlewares/http/stripprefix.md

@@ -76,3 +76,72 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
+
+### `forceSlash`
+
+_Optional, Default=true_
+
+!!! warning
+
+    `forceSlash` option is deprecated and should not be used.
+
+The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+??? info "Behavior examples"
+
+    - `forceSlash=true`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
+    - `forceSlash=false`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: example
+spec:
+  stripPrefix:
+    prefixes:
+      - "/foobar"
+    forceSlash: false
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    example:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+        forceSlash: false
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```

docs/content/migration/v2-to-v3.md

@@ -693,3 +693,13 @@ Here are two possible transition strategies:
     This allows continued compatibility with the existing infrastructure.
 
 Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
+
+#### Internal Resources Observability (AccessLogs, Metrics and Tracing)
+
+In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
+To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
+Please take a look at the observability documentation for more information:
+
+- [AccessLogs](../observability/access-logs.md#addinternals)
+- [Metrics](../observability/metrics/overview.md#addinternals)
+- [AccessLogs](../observability/tracing/overview.md#addinternals)

docs/content/migration/v2.md

@@ -536,3 +536,30 @@ In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowL
 ### IPWhiteList (TCP)
 
 In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
+
+### TLS CipherSuites
+
+> By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
+> This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
+Decision has been made to support ECDHE cipher suites only by default.
+
+The following ciphers have been removed from the default list:
+
+- `TLS_RSA_WITH_AES_128_CBC_SHA`
+- `TLS_RSA_WITH_AES_256_CBC_SHA`
+- `TLS_RSA_WITH_AES_128_GCM_SHA256`
+- `TLS_RSA_WITH_AES_256_GCM_SHA384`
+
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+
+### Minimum TLS Version
+
+> By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
+> matching the behavior of crypto/tls clients.
+> This change can be reverted with the `tls10server=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.

docs/content/observability/access-logs.md

@@ -26,6 +26,26 @@ accessLog: {}
 --accesslog=true
 ```
 
+### `addInternals`
+
+_Optional, Default="false"_
+
+Enables accessLogs for internal resources.
+
+```yaml tab="File (YAML)"
+accesslog:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  addInternals = true
+```
+
+```bash tab="CLI"
+--accesslog.addinternals
+```
+
 ### `filePath`
 
 By default access logs are written to the standard output.

docs/content/observability/metrics/datadog.md

@@ -27,6 +27,8 @@ _Required, Default="127.0.0.1:8125"_
 
 Address instructs exporter to send metrics to datadog-agent at this address.
 
+This address can be a Unix Domain Socket (UDS) address with the following form: `unix:///path/to/datadog.socket`.  
+
 ```yaml tab="File (YAML)"
 metrics:
   datadog:

docs/content/observability/metrics/opentelemetry.md

@@ -5,45 +5,25 @@ description: "Traefik supports several metrics backends, including OpenTelemetry
 
 # OpenTelemetry
 
-To enable the OpenTelemetry:
+To enable the OpenTelemetry metrics:
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry: {}
+  otlp: {}
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry=true
+--metrics.otlp=true
 ```
 
-!!! info "The OpenTelemetry exporter will export metrics to the collector by using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+!!! info "Default protocol"
 
-#### `address`
+    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-_Required, Default="localhost:4318", Format="`<host>:<port>`"_
-
-Address of the OpenTelemetry Collector to send metrics to.
-
-```yaml tab="File (YAML)"
-metrics:
-  openTelemetry:
-    address: localhost:4318
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.openTelemetry]
-    address = "localhost:4318"
-```
-
-```bash tab="CLI"
---metrics.openTelemetry.address=localhost:4318
-```
 
 #### `addEntryPointsLabels`
 
@@ -53,18 +33,18 @@ Enable metrics on entry points.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     addEntryPointsLabels: true
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
     addEntryPointsLabels = true
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.addEntryPointsLabels=true
+--metrics.otlp.addEntryPointsLabels=true
 ```
 
 #### `addRoutersLabels`
@@ -75,18 +55,18 @@ Enable metrics on routers.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     addRoutersLabels: true
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
     addRoutersLabels = true
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.addRoutersLabels=true
+--metrics.otlp.addRoutersLabels=true
 ```
 
 #### `addServicesLabels`
@@ -97,18 +77,18 @@ Enable metrics on services.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     addServicesLabels: true
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
     addServicesLabels = true
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.addServicesLabels=true
+--metrics.otlp.addServicesLabels=true
 ```
 
 #### `explicitBoundaries`
@@ -119,7 +99,7 @@ Explicit boundaries for Histogram data points.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     explicitBoundaries:
       - 0.1
       - 0.3
@@ -129,59 +109,12 @@ metrics:
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
     explicitBoundaries = [0.1,0.3,1.2,5.0]
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.explicitBoundaries=0.1,0.3,1.2,5.0
+--metrics.otlp.explicitBoundaries=0.1,0.3,1.2,5.0
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-metrics:
-  openTelemetry:
-    headers:
-      foo: bar
-      baz: buz
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.openTelemetry.headers]
-    foo = "bar"
-    baz = "buz"
-```
-
-```bash tab="CLI"
---metrics.openTelemetry.headers.foo=bar --metrics.openTelemetry.headers.baz=buz
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-metrics:
-  openTelemetry:
-    insecure: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.openTelemetry]
-    insecure = true
-```
-
-```bash tab="CLI"
---metrics.openTelemetry.insecure=true
 ```
 
 #### `pushInterval`
@@ -192,48 +125,95 @@ Interval at which metrics are sent to the OpenTelemetry Collector.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     pushInterval: 10s
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp]
     pushInterval = "10s"
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.pushInterval=10s
+--metrics.otlp.pushInterval=10s
 ```
 
-#### `path`
+### HTTP configuration
 
-_Required, Default="/v1/metrics"_
+_Optional_
 
-Allows to override the default URL path used for sending metrics.
+This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.
-This option has no effect when using gRPC transport.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
-    path: /foo/v1/metrics
+    http: {}
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry]
+  [metrics.otlp.http]
-    path = "/foo/v1/metrics"
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.path=/foo/v1/metrics
+--metrics.otlp.http=true
+```
+
+#### `endpoint`
+
+_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      endpoint: http://localhost:4318/v1/metrics
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.http]
+    endpoint = "http://localhost:4318/v1/metrics"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.http.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.headers.foo=bar --metrics.otlp.http.headers.baz=buz
 ```
 
 #### `tls`
 
 _Optional_
 
-Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
 
 ##### `ca`
 
@@ -244,18 +224,19 @@ it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
-    tls:
+    http:
-      ca: path/to/ca.crt
+      tls:
+        ca: path/to/ca.crt
 ```
 
 ```toml tab="File (TOML)"
-[metrics.openTelemetry.tls]
+[metrics.otlp.http.tls]
   ca = "path/to/ca.crt"
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.tls.ca=path/to/ca.crt
+--metrics.otlp.http.tls.ca=path/to/ca.crt
 ```
 
 ##### `cert`
@@ -267,21 +248,22 @@ When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
-    tls:
+    http:
-      cert: path/to/foo.cert
+      tls:
-      key: path/to/foo.key
+        cert: path/to/foo.cert
+        key: path/to/foo.key
 ```
 
 ```toml tab="File (TOML)"
-[metrics.openTelemetry.tls]
+[metrics.otlp.http.tls]
   cert = "path/to/foo.cert"
   key = "path/to/foo.key"
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.otlp.http.tls.cert=path/to/foo.cert
---metrics.openTelemetry.tls.key=path/to/foo.key
+--metrics.otlp.http.tls.key=path/to/foo.key
 ```
 
 ##### `key`
@@ -293,21 +275,22 @@ When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
-    tls:
+    http:
-      cert: path/to/foo.cert
+      tls:
-      key: path/to/foo.key
+        cert: path/to/foo.cert
+        key: path/to/foo.key
 ```
 
 ```toml tab="File (TOML)"
-[metrics.openTelemetry.tls]
+[metrics.otlp.http.tls]
   cert = "path/to/foo.cert"
   key = "path/to/foo.key"
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.otlp.http.tls.cert=path/to/foo.cert
---metrics.openTelemetry.tls.key=path/to/foo.key
+--metrics.otlp.http.tls.key=path/to/foo.key
 ```
 
 ##### `insecureSkipVerify`
@@ -319,35 +302,218 @@ the TLS connection to the OpenTelemetry Collector accepts any certificate presen
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
-    tls:
+    http:
-      insecureSkipVerify: true
+      tls:
+        insecureSkipVerify: true
 ```
 
 ```toml tab="File (TOML)"
-[metrics.openTelemetry.tls]
+[metrics.otlp.http.tls]
   insecureSkipVerify = true
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.tls.insecureSkipVerify=true
+--metrics.otlp.http.tls.insecureSkipVerify=true
 ```
 
-#### gRPC configuration
+### gRPC configuration
 
-This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC.
+_Optional_
+
+This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC.
 
 ```yaml tab="File (YAML)"
 metrics:
-  openTelemetry:
+  otlp:
     grpc: {}
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.openTelemetry.grpc]
+  [metrics.otlp.grpc]
 ```
 
 ```bash tab="CLI"
---metrics.openTelemetry.grpc=true
+--metrics.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc]
+    endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.headers.foo=bar --metrics.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.cert=path/to/foo.cert
+--metrics.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.cert=path/to/foo.cert
+--metrics.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.insecureSkipVerify=true
 ```

docs/content/observability/metrics/overview.md

@@ -14,6 +14,28 @@ Traefik supports these metrics backends:
 
 Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346) and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
 
+## Common Options
+
+### `addInternals`
+
+_Optional, Default="false"_
+
+Enables metrics for internal resources.
+
+```yaml tab="File (YAML)"
+metrics:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  addInternals = true
+```
+
+```bash tab="CLI"
+--metrics.addinternals
+```
+
 ## Global Metrics
 
 | Metric                     | Type  | [Labels](#labels)        | Description                                                        |

docs/content/observability/overview.md

@@ -0,0 +1,42 @@
+---
+title: "Traefik Observability Overview"
+description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the full documentation to get started."
+---
+
+# Overview
+
+Traefik's Observability system
+{: .subtitle }
+
+## Logs
+
+Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
+
+Read the [Logs documentation](./logs.md) to learn how to configure it.
+
+## Access Logs
+
+Access logs are a key part of observability in Traefik.
+
+They are providing valuable insights about incoming traffic, and allow to monitor it.
+The access logs record detailed information about each request received by Traefik,
+including the source IP address, requested URL, response status code, and more.
+
+Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
+
+## Metrics
+
+Traefik offers a metrics feature that provides valuable insights about the performance and usage.
+These metrics include the number of requests received, the requests duration, and more.
+
+Traefik supports these metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.
+
+Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
+
+## Tracing
+
+The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.
+
+Traefik supports these tracing with OpenTelemetry.
+
+Read the [Tracing documentation](./tracing/overview.md) to learn how to configure it.

docs/content/observability/tracing/opentelemetry.md

@@ -21,19 +21,20 @@ tracing:
 --tracing.otlp=true
 ```
 
-!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default (http://localhost:4318/v1/traces), 
+!!! info "Default protocol"
-see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+    The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
 
 !!! info "Trace sampling"
 
-	By default, the OpenTelemetry trace reporter will sample 100% of traces.  
+	By default, the OpenTelemetry trace exporter will sample 100% of traces.  
 	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
 
 ### HTTP configuration
 
 _Optional_
 
-This instructs the reporter to send spans to the OpenTelemetry Collector using HTTP.
+This instructs the exporter to send spans to the OpenTelemetry Collector using HTTP.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -73,11 +74,37 @@ tracing:
 --tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
 ```
 
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.http.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.headers.foo=bar --tracing.otlp.http.headers.baz=buz
+```
+
 #### `tls`
 
 _Optional_
 
-Defines the Client TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
 
 ##### `ca`
 
@@ -181,11 +208,11 @@ tracing:
 --tracing.otlp.http.tls.insecureSkipVerify=true
 ```
 
-#### gRPC configuration
+### gRPC configuration
 
 _Optional_
 
-This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.
+This instructs the exporter to send spans to the OpenTelemetry Collector using gRPC.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -228,7 +255,7 @@ tracing:
 
 _Optional, Default=false_
 
-Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+Allows exporter to send spans to the OpenTelemetry Collector without using a secured protocol.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -247,11 +274,37 @@ tracing:
 --tracing.otlp.grpc.insecure=true
 ```
 
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.grpc.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.headers.foo=bar --tracing.otlp.grpc.headers.baz=buz
+```
+
 #### `tls`
 
 _Optional_
 
-Defines the Client TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
 
 ##### `ca`
 

docs/content/observability/tracing/overview.md

@@ -14,10 +14,8 @@ Traefik uses [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel"
 
 Please check our dedicated [OTel docs](./opentelemetry.md) to learn more.
 
-
 ## Configuration
 
-
 To enable the tracing:
 
 ```yaml tab="File (YAML)"
@@ -34,6 +32,26 @@ tracing: {}
 
 ### Common Options
 
+#### `addInternals`
+
+_Optional, Default="false"_
+
+Enables tracing for internal resources.
+
+```yaml tab="File (YAML)"
+tracing:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  addInternals = true
+```
+
+```bash tab="CLI"
+--tracing.addinternals
+```
+
 #### `serviceName`
 
 _Required, Default="traefik"_
@@ -74,30 +92,6 @@ tracing:
 --tracing.sampleRate=0.2
 ```
 
-#### `headers`
-
-_Optional, Default={}_
-
-Defines additional headers to be sent with the span's payload.
-
-```yaml tab="File (YAML)"
-tracing:
-  headers:
-    foo: bar
-    baz: buz
-```
-
-```toml tab="File (TOML)"
-[tracing]
-    [tracing.headers]
-        foo = "bar"
-        baz = "buz"
-```
-
-```bash tab="CLI"
---tracing.headers.foo=bar --tracing.headers.baz=buz
-```
-
 #### `globalAttributes`
 
 _Optional, Default=empty_

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -16,11 +16,13 @@
 - "traefik.http.middlewares.middleware05.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.circuitbreaker.fallbackduration=42s"
 - "traefik.http.middlewares.middleware05.circuitbreaker.recoveryduration=42s"
+- "traefik.http.middlewares.middleware05.circuitbreaker.responsecode=42"
 - "traefik.http.middlewares.middleware06.compress=true"
 - "traefik.http.middlewares.middleware06.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.includedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.minresponsebodybytes=42"
 - "traefik.http.middlewares.middleware07.contenttype=true"
+- "traefik.http.middlewares.middleware07.contenttype.autodetect=true"
 - "traefik.http.middlewares.middleware08.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware08.digestauth.realm=foobar"
 - "traefik.http.middlewares.middleware08.digestauth.removeheader=true"
@@ -35,6 +37,7 @@
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.key=foobar"
@@ -58,6 +61,7 @@
 - "traefik.http.middlewares.middleware12.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware12.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware12.headers.customresponseheaders.name1=foobar"
+- "traefik.http.middlewares.middleware12.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware12.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware12.headers.framedeny=true"
 - "traefik.http.middlewares.middleware12.headers.hostsproxyheaders=foobar, foobar"
@@ -65,8 +69,12 @@
 - "traefik.http.middlewares.middleware12.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware12.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware12.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware12.headers.sslforcehost=true"
+- "traefik.http.middlewares.middleware12.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware12.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware12.headers.sslproxyheaders.name1=foobar"
+- "traefik.http.middlewares.middleware12.headers.sslredirect=true"
+- "traefik.http.middlewares.middleware12.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware12.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware12.headers.stspreload=true"
 - "traefik.http.middlewares.middleware12.headers.stsseconds=42"
@@ -126,6 +134,7 @@
 - "traefik.http.middlewares.middleware22.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware23.retry.attempts=42"
 - "traefik.http.middlewares.middleware23.retry.initialinterval=42s"
+- "traefik.http.middlewares.middleware24.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware24.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware25.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
@@ -213,6 +222,7 @@
 - "traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol=true"
 - "traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version=42"
 - "traefik.tcp.services.tcpservice01.loadbalancer.serverstransport=foobar"
+- "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
 - "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
 - "traefik.tcp.services.tcpservice01.loadbalancer.server.tls=true"
 - "traefik.udp.routers.udprouter0.entrypoints=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -137,6 +137,7 @@
         checkPeriod = "42s"
         fallbackDuration = "42s"
         recoveryDuration = "42s"
+        responseCode = 42
     [http.middlewares.Middleware06]
       [http.middlewares.Middleware06.compress]
         excludedContentTypes = ["foobar", "foobar"]
@@ -144,6 +145,7 @@
         minResponseBodyBytes = 42
     [http.middlewares.Middleware07]
       [http.middlewares.Middleware07.contentType]
+        autoDetect = true
     [http.middlewares.Middleware08]
       [http.middlewares.Middleware08.digestAuth]
         users = ["foobar", "foobar"]
@@ -169,6 +171,7 @@
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
+          caOptional = true
     [http.middlewares.Middleware11]
       [http.middlewares.Middleware11.grpcWeb]
         allowOrigins = ["foobar", "foobar"]
@@ -198,6 +201,11 @@
         referrerPolicy = "foobar"
         permissionsPolicy = "foobar"
         isDevelopment = true
+        featurePolicy = "foobar"
+        sslRedirect = true
+        sslTemporaryRedirect = true
+        sslHost = "foobar"
+        sslForceHost = true
         [http.middlewares.Middleware12.headers.customRequestHeaders]
           name0 = "foobar"
           name1 = "foobar"
@@ -297,6 +305,7 @@
     [http.middlewares.Middleware24]
       [http.middlewares.Middleware24.stripPrefix]
         prefixes = ["foobar", "foobar"]
+        forceSlash = true
     [http.middlewares.Middleware25]
       [http.middlewares.Middleware25.stripPrefixRegex]
         regex = ["foobar", "foobar"]
@@ -394,6 +403,7 @@
     [tcp.services.TCPService01]
       [tcp.services.TCPService01.loadBalancer]
         serversTransport = "foobar"
+        terminationDelay = 42
         [tcp.services.TCPService01.loadBalancer.proxyProtocol]
           version = 42
 
@@ -513,6 +523,7 @@
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       alpnProtocols = ["foobar", "foobar"]
+      preferServerCipherSuites = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
@@ -523,6 +534,7 @@
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       alpnProtocols = ["foobar", "foobar"]
+      preferServerCipherSuites = true
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -142,6 +142,7 @@ http:
         checkPeriod: 42s
         fallbackDuration: 42s
         recoveryDuration: 42s
+        responseCode: 42
     Middleware06:
       compress:
         excludedContentTypes:
@@ -152,7 +153,8 @@ http:
           - foobar
         minResponseBodyBytes: 42
     Middleware07:
-      contentType: {}
+      contentType:
+        autoDetect: true
     Middleware08:
       digestAuth:
         users:
@@ -177,6 +179,7 @@ http:
           cert: foobar
           key: foobar
           insecureSkipVerify: true
+          caOptional: true
         trustForwardHeader: true
         authResponseHeaders:
           - foobar
@@ -242,6 +245,11 @@ http:
         referrerPolicy: foobar
         permissionsPolicy: foobar
         isDevelopment: true
+        featurePolicy: foobar
+        sslRedirect: true
+        sslTemporaryRedirect: true
+        sslHost: foobar
+        sslForceHost: true
     Middleware13:
       ipAllowList:
         sourceRange:
@@ -346,6 +354,7 @@ http:
         prefixes:
           - foobar
           - foobar
+        forceSlash: true
     Middleware25:
       stripPrefixRegex:
         regex:
@@ -463,6 +472,7 @@ tcp:
           - address: foobar
             tls: true
         serversTransport: foobar
+        terminationDelay: 42
     TCPService02:
       weighted:
         services:
@@ -583,6 +593,7 @@ tls:
       alpnProtocols:
         - foobar
         - foobar
+      preferServerCipherSuites: true
     Options1:
       minVersion: foobar
       maxVersion: foobar
@@ -601,6 +612,7 @@ tls:
       alpnProtocols:
         - foobar
         - foobar
+      preferServerCipherSuites: true
   stores:
     Store0:
       defaultCertificate:

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -20,12 +20,13 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware05/circuitBreaker/expression` | `foobar` |
 | `traefik/http/middlewares/Middleware05/circuitBreaker/fallbackDuration` | `42s` |
 | `traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration` | `42s` |
+| `traefik/http/middlewares/Middleware05/circuitBreaker/responseCode` | `42` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/includedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/includedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/minResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware07/contentType` | `` |
+| `traefik/http/middlewares/Middleware07/contentType/autoDetect` | `true` |
 | `traefik/http/middlewares/Middleware08/digestAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware08/digestAuth/realm` | `foobar` |
 | `traefik/http/middlewares/Middleware08/digestAuth/removeHeader` | `true` |
@@ -45,6 +46,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/insecureSkipVerify` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/key` | `foobar` |
@@ -75,6 +77,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name1` | `foobar` |
+| `traefik/http/middlewares/Middleware12/headers/featurePolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/forceSTSHeader` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/frameDeny` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/0` | `foobar` |
@@ -83,8 +86,12 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware12/headers/permissionsPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/publicKey` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/referrerPolicy` | `foobar` |
+| `traefik/http/middlewares/Middleware12/headers/sslForceHost` | `true` |
+| `traefik/http/middlewares/Middleware12/headers/sslHost` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name1` | `foobar` |
+| `traefik/http/middlewares/Middleware12/headers/sslRedirect` | `true` |
+| `traefik/http/middlewares/Middleware12/headers/sslTemporaryRedirect` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/stsIncludeSubdomains` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/stsPreload` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/stsSeconds` | `42` |
@@ -148,6 +155,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware22/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware23/retry/attempts` | `42` |
 | `traefik/http/middlewares/Middleware23/retry/initialInterval` | `42s` |
+| `traefik/http/middlewares/Middleware24/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/0` | `foobar` |
@@ -341,6 +349,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
 | `traefik/tcp/services/TCPService01/loadBalancer/servers/1/tls` | `true` |
 | `traefik/tcp/services/TCPService01/loadBalancer/serversTransport` | `foobar` |
+| `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |
 | `traefik/tcp/services/TCPService02/weighted/services/0/name` | `foobar` |
 | `traefik/tcp/services/TCPService02/weighted/services/0/weight` | `42` |
 | `traefik/tcp/services/TCPService02/weighted/services/1/name` | `foobar` |
@@ -364,6 +373,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
+| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
 | `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
@@ -376,6 +386,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
+| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: ingressroutes.traefik.io
 spec:
   group: traefik.io
@@ -20,14 +20,19 @@ spec:
         description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,10 +40,11 @@ spec:
             description: IngressRouteSpec defines the desired state of IngressRoute.
             properties:
               entryPoints:
-                description: 'EntryPoints defines the list of entry point names to
+                description: |-
-                  bind to. Entry points have to be configured in the static configuration.
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
                   More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
-                  Default: all.'
+                  Default: all.
                 items:
                   type: string
                 type: array
@@ -48,17 +54,21 @@ spec:
                   description: Route holds the HTTP route configuration.
                   properties:
                     kind:
-                      description: Kind defines the kind of the route. Rule is the
+                      description: |-
-                        only supported kind.
+                        Kind defines the kind of the route.
+                        Rule is the only supported kind.
                       enum:
                       - Rule
                       type: string
                     match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule'
+                      description: |-
+                        Match defines the router's rule.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule
                       type: string
                     middlewares:
-                      description: 'Middlewares defines the list of references to
+                      description: |-
-                        Middleware resources. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware'
+                        Middlewares defines the list of references to Middleware resources.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -76,13 +86,14 @@ spec:
                         type: object
                       type: array
                     priority:
-                      description: 'Priority defines the router''s priority. More
+                      description: |-
-                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority'
+                        Priority defines the router's priority.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority
                       type: integer
                     services:
-                      description: Services defines the list of Service. It can contain
+                      description: |-
-                        any combination of TraefikService and/or reference to a Kubernetes
+                        Services defines the list of Service.
-                        Service.
+                        It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
                       items:
                         description: Service defines an upstream HTTP service to proxy
                           traffic to.
@@ -94,31 +105,32 @@ spec:
                             - TraefikService
                             type: string
                           name:
-                            description: Name defines the name of the referenced Kubernetes
+                            description: |-
-                              Service or TraefikService. The differentiation between
+                              Name defines the name of the referenced Kubernetes Service or TraefikService.
-                              the two is specified in the Kind field.
+                              The differentiation between the two is specified in the Kind field.
                             type: string
                           namespace:
                             description: Namespace defines the namespace of the referenced
                               Kubernetes Service or TraefikService.
                             type: string
                           nativeLB:
-                            description: NativeLB controls, when creating the load-balancer,
+                            description: |-
-                              whether the LB's children are directly the pods IPs
+                              NativeLB controls, when creating the load-balancer,
-                              or if the only child is the Kubernetes Service clusterIP.
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                              The Kubernetes Service itself does load-balance to the
+                              The Kubernetes Service itself does load-balance to the pods.
-                              pods. By default, NativeLB is false.
+                              By default, NativeLB is false.
                             type: boolean
                           passHostHeader:
-                            description: PassHostHeader defines whether the client
+                            description: |-
-                              Host header is forwarded to the upstream Kubernetes
+                              PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
-                              Service. By default, passHostHeader is true.
+                              By default, passHostHeader is true.
                             type: boolean
                           port:
                             anyOf:
                             - type: integer
                             - type: string
-                            description: Port defines the port of a Kubernetes Service.
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
                               This can be a reference to a named port.
                             x-kubernetes-int-or-string: true
                           responseForwarding:
@@ -127,30 +139,29 @@ spec:
                               the client.
                             properties:
                               flushInterval:
-                                description: 'FlushInterval defines the interval,
+                                description: |-
-                                  in milliseconds, in between flushes to the client
+                                  FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
-                                  while copying the response body. A negative value
+                                  A negative value means to flush immediately after each write to the client.
-                                  means to flush immediately after each write to the
+                                  This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
-                                  client. This configuration is ignored when ReverseProxy
+                                  for such responses, writes are flushed to the client immediately.
-                                  recognizes a response as a streaming response; for
+                                  Default: 100ms
-                                  such responses, writes are flushed to the client
-                                  immediately. Default: 100ms'
                                 type: string
                             type: object
                           scheme:
-                            description: Scheme defines the scheme to use for the
+                            description: |-
-                              request to the upstream Kubernetes Service. It defaults
+                              Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
-                              to https when Kubernetes Service port is 443, http otherwise.
+                              It defaults to https when Kubernetes Service port is 443, http otherwise.
                             type: string
                           serversTransport:
-                            description: ServersTransport defines the name of ServersTransport
+                            description: |-
-                              resource to use. It allows to configure the transport
+                              ServersTransport defines the name of ServersTransport resource to use.
-                              between Traefik and your servers. Can only be used on
+                              It allows to configure the transport between Traefik and your servers.
-                              a Kubernetes Service.
+                              Can only be used on a Kubernetes Service.
                             type: string
                           sticky:
-                            description: 'Sticky defines the sticky sessions configuration.
+                            description: |-
-                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
+                              Sticky defines the sticky sessions configuration.
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -161,17 +172,18 @@ spec:
                                       JavaScript.
                                     type: boolean
                                   maxAge:
-                                    description: MaxAge indicates the number of seconds
+                                    description: |-
-                                      until the cookie expires. When set to a negative
+                                      MaxAge indicates the number of seconds until the cookie expires.
-                                      number, the cookie expires immediately. When
+                                      When set to a negative number, the cookie expires immediately.
-                                      set to zero, the cookie never expires.
+                                      When set to zero, the cookie never expires.
                                     type: integer
                                   name:
                                     description: Name defines the Cookie name.
                                     type: string
                                   sameSite:
-                                    description: 'SameSite defines the same site policy.
+                                    description: |-
-                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                      SameSite defines the same site policy.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                                     type: string
                                   secure:
                                     description: Secure defines whether the cookie
@@ -181,23 +193,23 @@ spec:
                                 type: object
                             type: object
                           strategy:
-                            description: Strategy defines the load balancing strategy
+                            description: |-
-                              between the servers. RoundRobin is the only supported
+                              Strategy defines the load balancing strategy between the servers.
-                              value at the moment.
+                              RoundRobin is the only supported value at the moment.
                             type: string
                           weight:
-                            description: Weight defines the weight and should only
+                            description: |-
-                              be specified when Name references a TraefikService object
+                              Weight defines the weight and should only be specified when Name references a TraefikService object
-                              (and to be precise, one that embeds a Weighted Round
+                              (and to be precise, one that embeds a Weighted Round Robin).
-                              Robin).
                             type: integer
                         required:
                         - name
                         type: object
                       type: array
                     syntax:
-                      description: 'Syntax defines the router''s rule syntax. More
+                      description: |-
-                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax'
+                        Syntax defines the router's rule syntax.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax
                       type: string
                   required:
                   - kind
@@ -205,16 +217,20 @@ spec:
                   type: object
                 type: array
               tls:
-                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls'
+                description: |-
+                  TLS defines the TLS configuration.
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls
                 properties:
                   certResolver:
-                    description: 'CertResolver defines the name of the certificate
+                    description: |-
-                      resolver to use. Cert resolvers have to be configured in the
+                      CertResolver defines the name of the certificate resolver to use.
-                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
+                      Cert resolvers have to be configured in the static configuration.
+                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
                     type: string
                   domains:
-                    description: 'Domains defines the list of domains that will be
+                    description: |-
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
+                      Domains defines the list of domains that will be used to issue certificates.
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -230,17 +246,20 @@ spec:
                       type: object
                     type: array
                   options:
-                    description: 'Options defines the reference to a TLSOption, that
+                    description: |-
-                      specifies the parameters of the TLS connection. If not defined,
+                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
+                      If not defined, the `default` TLSOption is used.
+                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
                     properties:
                       name:
-                        description: 'Name defines the name of the referenced TLSOption.
+                        description: |-
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          Name defines the name of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
-                        description: 'Namespace defines the namespace of the referenced
+                        description: |-
-                          TLSOption. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          Namespace defines the namespace of the referenced TLSOption.
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -250,17 +269,19 @@ spec:
                       Secret to specify the certificate details.
                     type: string
                   store:
-                    description: Store defines the reference to the TLSStore, that
+                    description: |-
-                      will be used to store certificates. Please note that only `default`
+                      Store defines the reference to the TLSStore, that will be used to store certificates.
-                      TLSStore can be used.
+                      Please note that only `default` TLSStore can be used.
                     properties:
                       name:
-                        description: 'Name defines the name of the referenced TLSStore.
+                        description: |-
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          Name defines the name of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
-                        description: 'Namespace defines the namespace of the referenced
+                        description: |-
-                          TLSStore. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          Namespace defines the namespace of the referenced TLSStore.
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: ingressroutetcps.traefik.io
 spec:
   group: traefik.io
@@ -20,14 +20,19 @@ spec:
         description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,10 +40,11 @@ spec:
             description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
             properties:
               entryPoints:
-                description: 'EntryPoints defines the list of entry point names to
+                description: |-
-                  bind to. Entry points have to be configured in the static configuration.
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
                   More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
-                  Default: all.'
+                  Default: all.
                 items:
                   type: string
                 type: array
@@ -48,7 +54,9 @@ spec:
                   description: RouteTCP holds the TCP route configuration.
                   properties:
                     match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1'
+                      description: |-
+                        Match defines the router's rule.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -70,8 +78,9 @@ spec:
                         type: object
                       type: array
                     priority:
-                      description: 'Priority defines the router''s priority. More
+                      description: |-
-                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1'
+                        Priority defines the router's priority.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1
                       type: integer
                     services:
                       description: Services defines the list of TCP services.
@@ -88,22 +97,24 @@ spec:
                               Kubernetes Service.
                             type: string
                           nativeLB:
-                            description: NativeLB controls, when creating the load-balancer,
+                            description: |-
-                              whether the LB's children are directly the pods IPs
+                              NativeLB controls, when creating the load-balancer,
-                              or if the only child is the Kubernetes Service clusterIP.
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                              The Kubernetes Service itself does load-balance to the
+                              The Kubernetes Service itself does load-balance to the pods.
-                              pods. By default, NativeLB is false.
+                              By default, NativeLB is false.
                             type: boolean
                           port:
                             anyOf:
                             - type: integer
                             - type: string
-                            description: Port defines the port of a Kubernetes Service.
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
                               This can be a reference to a named port.
                             x-kubernetes-int-or-string: true
                           proxyProtocol:
-                            description: 'ProxyProtocol defines the PROXY protocol
+                            description: |-
-                              configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol'
+                              ProxyProtocol defines the PROXY protocol configuration.
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -111,11 +122,20 @@ spec:
                                 type: integer
                             type: object
                           serversTransport:
-                            description: ServersTransport defines the name of ServersTransportTCP
+                            description: |-
-                              resource to use. It allows to configure the transport
+                              ServersTransport defines the name of ServersTransportTCP resource to use.
-                              between Traefik and your servers. Can only be used on
+                              It allows to configure the transport between Traefik and your servers.
-                              a Kubernetes Service.
+                              Can only be used on a Kubernetes Service.
                             type: string
+                          terminationDelay:
+                            description: |-
+                              TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
+                              it has closed the writing capability of its connection, to close the reading capability as well,
+                              hence fully terminating the connection.
+                              It is a duration in milliseconds, defaulting to 100.
+                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
+                              Deprecated: TerminationDelay is not supported APIVersion traefik.io/v1, please use ServersTransport to configure the TerminationDelay instead.
+                            type: integer
                           tls:
                             description: TLS determines whether to use TLS when dialing
                               with the backend.
@@ -130,25 +150,29 @@ spec:
                         type: object
                       type: array
                     syntax:
-                      description: 'Syntax defines the router''s rule syntax. More
+                      description: |-
-                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax_1'
+                        Syntax defines the router's rule syntax.
+                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax_1
                       type: string
                   required:
                   - match
                   type: object
                 type: array
               tls:
-                description: 'TLS defines the TLS configuration on a layer 4 / TCP
+                description: |-
-                  Route. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1'
+                  TLS defines the TLS configuration on a layer 4 / TCP Route.
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1
                 properties:
                   certResolver:
-                    description: 'CertResolver defines the name of the certificate
+                    description: |-
-                      resolver to use. Cert resolvers have to be configured in the
+                      CertResolver defines the name of the certificate resolver to use.
-                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
+                      Cert resolvers have to be configured in the static configuration.
+                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
                     type: string
                   domains:
-                    description: 'Domains defines the list of domains that will be
+                    description: |-
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
+                      Domains defines the list of domains that will be used to issue certificates.
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -164,9 +188,10 @@ spec:
                       type: object
                     type: array
                   options:
-                    description: 'Options defines the reference to a TLSOption, that
+                    description: |-
-                      specifies the parameters of the TLS connection. If not defined,
+                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
+                      If not defined, the `default` TLSOption is used.
+                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik
@@ -188,9 +213,9 @@ spec:
                       Secret to specify the certificate details.
                     type: string
                   store:
-                    description: Store defines the reference to the TLSStore, that
+                    description: |-
-                      will be used to store certificates. Please note that only `default`
+                      Store defines the reference to the TLSStore, that will be used to store certificates.
-                      TLSStore can be used.
+                      Please note that only `default` TLSStore can be used.
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: ingressrouteudps.traefik.io
 spec:
   group: traefik.io
@@ -20,14 +20,19 @@ spec:
         description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -35,10 +40,11 @@ spec:
             description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
             properties:
               entryPoints:
-                description: 'EntryPoints defines the list of entry point names to
+                description: |-
-                  bind to. Entry points have to be configured in the static configuration.
+                  EntryPoints defines the list of entry point names to bind to.
+                  Entry points have to be configured in the static configuration.
                   More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
-                  Default: all.'
+                  Default: all.
                 items:
                   type: string
                 type: array
@@ -62,17 +68,18 @@ spec:
                               Kubernetes Service.
                             type: string
                           nativeLB:
-                            description: NativeLB controls, when creating the load-balancer,
+                            description: |-
-                              whether the LB's children are directly the pods IPs
+                              NativeLB controls, when creating the load-balancer,
-                              or if the only child is the Kubernetes Service clusterIP.
+                              whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                              The Kubernetes Service itself does load-balance to the
+                              The Kubernetes Service itself does load-balance to the pods.
-                              pods. By default, NativeLB is false.
+                              By default, NativeLB is false.
                             type: boolean
                           port:
                             anyOf:
                             - type: integer
                             - type: string
-                            description: Port defines the port of a Kubernetes Service.
+                            description: |-
+                              Port defines the port of a Kubernetes Service.
                               This can be a reference to a named port.
                             x-kubernetes-int-or-string: true
                           weight:

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: middlewares.traefik.io
 spec:
   group: traefik.io
@@ -17,18 +17,24 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'Middleware is the CRD implementation of a Traefik Middleware.
+        description: |-
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
+          Middleware is the CRD implementation of a Traefik Middleware.
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -36,33 +42,37 @@ spec:
             description: MiddlewareSpec defines the desired state of a Middleware.
             properties:
               addPrefix:
-                description: 'AddPrefix holds the add prefix middleware configuration.
+                description: |-
-                  This middleware updates the path of a request before forwarding
+                  AddPrefix holds the add prefix middleware configuration.
-                  it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
+                  This middleware updates the path of a request before forwarding it.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/
                 properties:
                   prefix:
-                    description: Prefix is the string to add before the current path
+                    description: |-
-                      in the requested URL. It should include a leading slash (/).
+                      Prefix is the string to add before the current path in the requested URL.
+                      It should include a leading slash (/).
                     type: string
                 type: object
               basicAuth:
-                description: 'BasicAuth holds the basic auth middleware configuration.
+                description: |-
+                  BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/
                 properties:
                   headerField:
-                    description: 'HeaderField defines a header field to store the
+                    description: |-
-                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
+                      HeaderField defines a header field to store the authenticated user.
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
-                    description: 'Realm allows the protected resources on a server
+                    description: |-
-                      to be partitioned into a set of protection spaces, each with
+                      Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
-                      its own authentication scheme. Default: traefik.'
+                      Default: traefik.
                     type: string
                   removeHeader:
-                    description: 'RemoveHeader sets the removeHeader option to true
+                    description: |-
-                      to remove the authorization header before forwarding the request
+                      RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
-                      to your service. Default: false.'
+                      Default: false.
                     type: boolean
                   secret:
                     description: Secret is the name of the referenced Kubernetes Secret
@@ -70,48 +80,49 @@ spec:
                     type: string
                 type: object
               buffering:
-                description: 'Buffering holds the buffering middleware configuration.
+                description: |-
-                  This middleware retries or limits the size of requests that can
+                  Buffering holds the buffering middleware configuration.
-                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
+                  This middleware retries or limits the size of requests that can be forwarded to backends.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
-                    description: 'MaxRequestBodyBytes defines the maximum allowed
+                    description: |-
-                      body size for the request (in bytes). If the request exceeds
+                      MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
-                      the allowed size, it is not forwarded to the service, and the
+                      If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
-                      client gets a 413 (Request Entity Too Large) response. Default:
+                      Default: 0 (no maximum).
-                      0 (no maximum).'
                     format: int64
                     type: integer
                   maxResponseBodyBytes:
-                    description: 'MaxResponseBodyBytes defines the maximum allowed
+                    description: |-
-                      response size from the service (in bytes). If the response exceeds
+                      MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
-                      the allowed size, it is not forwarded to the client. The client
+                      If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
-                      gets a 500 (Internal Server Error) response instead. Default:
+                      Default: 0 (no maximum).
-                      0 (no maximum).'
                     format: int64
                     type: integer
                   memRequestBodyBytes:
-                    description: 'MemRequestBodyBytes defines the threshold (in bytes)
+                    description: |-
-                      from which the request will be buffered on disk instead of in
+                      MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
-                      memory. Default: 1048576 (1Mi).'
+                      Default: 1048576 (1Mi).
                     format: int64
                     type: integer
                   memResponseBodyBytes:
-                    description: 'MemResponseBodyBytes defines the threshold (in bytes)
+                    description: |-
-                      from which the response will be buffered on disk instead of
+                      MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
-                      in memory. Default: 1048576 (1Mi).'
+                      Default: 1048576 (1Mi).
                     format: int64
                     type: integer
                   retryExpression:
-                    description: 'RetryExpression defines the retry conditions. It
+                    description: |-
-                      is a logical combination of functions with operators AND (&&)
+                      RetryExpression defines the retry conditions.
-                      and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
+                      It is a logical combination of functions with operators AND (&&) and OR (||).
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
-                description: 'Chain holds the configuration of the chain middleware.
+                description: |-
-                  This middleware enables to define reusable combinations of other
+                  Chain holds the configuration of the chain middleware.
-                  pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
+                  This middleware enables to define reusable combinations of other pieces of middleware.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -163,15 +174,15 @@ spec:
                     x-kubernetes-int-or-string: true
                 type: object
               compress:
-                description: 'Compress holds the compress middleware configuration.
+                description: |-
-                  This middleware compresses responses before sending them to the
+                  Compress holds the compress middleware configuration.
-                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
+                  This middleware compresses responses before sending them to the client, using gzip compression.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/
                 properties:
                   excludedContentTypes:
-                    description: ExcludedContentTypes defines the list of content
+                    description: |-
-                      types to compare the Content-Type header of the incoming requests
+                      ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
-                      and responses before compressing. `application/grpc` is always
+                      `application/grpc` is always excluded.
-                      excluded.
                     items:
                       type: string
                     type: array
@@ -183,30 +194,38 @@ spec:
                       type: string
                     type: array
                   minResponseBodyBytes:
-                    description: 'MinResponseBodyBytes defines the minimum amount
+                    description: |-
-                      of bytes a response body must have to be compressed. Default:
+                      MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
-                      1024.'
+                      Default: 1024.
                     type: integer
                 type: object
               contentType:
-                description: ContentType holds the content-type middleware configuration.
+                description: |-
-                  This middleware sets the `Content-Type` header value to the media
+                  ContentType holds the content-type middleware configuration.
-                  type detected from the response content, when it is not set by the
+                  This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
-                  backend.
+                properties:
+                  autoDetect:
+                    description: |-
+                      AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
+                      be automatically set to a value derived from the contents of the response.
+                      Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
+                    type: boolean
                 type: object
               digestAuth:
-                description: 'DigestAuth holds the digest auth middleware configuration.
+                description: |-
+                  DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/
                 properties:
                   headerField:
-                    description: 'HeaderField defines a header field to store the
+                    description: |-
-                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
+                      HeaderField defines a header field to store the authenticated user.
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
-                    description: 'Realm allows the protected resources on a server
+                    description: |-
-                      to be partitioned into a set of protection spaces, each with
+                      Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
-                      its own authentication scheme. Default: traefik.'
+                      Default: traefik.
                     type: string
                   removeHeader:
                     description: RemoveHeader defines whether to remove the authorization
@@ -218,18 +237,20 @@ spec:
                     type: string
                 type: object
               errors:
-                description: 'ErrorPage holds the custom error middleware configuration.
+                description: |-
-                  This middleware returns a custom page in lieu of the default, according
+                  ErrorPage holds the custom error middleware configuration.
-                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
+                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/
                 properties:
                   query:
-                    description: Query defines the URL for the error page (hosted
+                    description: |-
-                      by service). The {status} variable can be used in order to insert
+                      Query defines the URL for the error page (hosted by service).
-                      the status code in the URL.
+                      The {status} variable can be used in order to insert the status code in the URL.
                     type: string
                   service:
-                    description: 'Service defines the reference to a Kubernetes Service
+                    description: |-
-                      that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
+                      Service defines the reference to a Kubernetes Service that will serve the error page.
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service
                     properties:
                       kind:
                         description: Kind defines the kind of the Service.
@@ -238,31 +259,32 @@ spec:
                         - TraefikService
                         type: string
                       name:
-                        description: Name defines the name of the referenced Kubernetes
+                        description: |-
-                          Service or TraefikService. The differentiation between the
+                          Name defines the name of the referenced Kubernetes Service or TraefikService.
-                          two is specified in the Kind field.
+                          The differentiation between the two is specified in the Kind field.
                         type: string
                       namespace:
                         description: Namespace defines the namespace of the referenced
                           Kubernetes Service or TraefikService.
                         type: string
                       nativeLB:
-                        description: NativeLB controls, when creating the load-balancer,
+                        description: |-
-                          whether the LB's children are directly the pods IPs or if
+                          NativeLB controls, when creating the load-balancer,
-                          the only child is the Kubernetes Service clusterIP. The
+                          whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                          Kubernetes Service itself does load-balance to the pods.
+                          The Kubernetes Service itself does load-balance to the pods.
                           By default, NativeLB is false.
                         type: boolean
                       passHostHeader:
-                        description: PassHostHeader defines whether the client Host
+                        description: |-
-                          header is forwarded to the upstream Kubernetes Service.
+                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                           By default, passHostHeader is true.
                         type: boolean
                       port:
                         anyOf:
                         - type: integer
                         - type: string
-                        description: Port defines the port of a Kubernetes Service.
+                        description: |-
+                          Port defines the port of a Kubernetes Service.
                           This can be a reference to a named port.
                         x-kubernetes-int-or-string: true
                       responseForwarding:
@@ -271,29 +293,29 @@ spec:
                           client.
                         properties:
                           flushInterval:
-                            description: 'FlushInterval defines the interval, in milliseconds,
+                            description: |-
-                              in between flushes to the client while copying the response
+                              FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
-                              body. A negative value means to flush immediately after
+                              A negative value means to flush immediately after each write to the client.
-                              each write to the client. This configuration is ignored
+                              This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
-                              when ReverseProxy recognizes a response as a streaming
+                              for such responses, writes are flushed to the client immediately.
-                              response; for such responses, writes are flushed to
+                              Default: 100ms
-                              the client immediately. Default: 100ms'
                             type: string
                         type: object
                       scheme:
-                        description: Scheme defines the scheme to use for the request
+                        description: |-
-                          to the upstream Kubernetes Service. It defaults to https
+                          Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
-                          when Kubernetes Service port is 443, http otherwise.
+                          It defaults to https when Kubernetes Service port is 443, http otherwise.
                         type: string
                       serversTransport:
-                        description: ServersTransport defines the name of ServersTransport
+                        description: |-
-                          resource to use. It allows to configure the transport between
+                          ServersTransport defines the name of ServersTransport resource to use.
-                          Traefik and your servers. Can only be used on a Kubernetes
+                          It allows to configure the transport between Traefik and your servers.
-                          Service.
+                          Can only be used on a Kubernetes Service.
                         type: string
                       sticky:
-                        description: 'Sticky defines the sticky sessions configuration.
+                        description: |-
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
+                          Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -303,17 +325,18 @@ spec:
                                   be accessed by client-side APIs, such as JavaScript.
                                 type: boolean
                               maxAge:
-                                description: MaxAge indicates the number of seconds
+                                description: |-
-                                  until the cookie expires. When set to a negative
+                                  MaxAge indicates the number of seconds until the cookie expires.
-                                  number, the cookie expires immediately. When set
+                                  When set to a negative number, the cookie expires immediately.
-                                  to zero, the cookie never expires.
+                                  When set to zero, the cookie never expires.
                                 type: integer
                               name:
                                 description: Name defines the Cookie name.
                                 type: string
                               sameSite:
-                                description: 'SameSite defines the same site policy.
+                                description: |-
-                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                  SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                                 type: string
                               secure:
                                 description: Secure defines whether the cookie can
@@ -323,32 +346,34 @@ spec:
                             type: object
                         type: object
                       strategy:
-                        description: Strategy defines the load balancing strategy
+                        description: |-
-                          between the servers. RoundRobin is the only supported value
+                          Strategy defines the load balancing strategy between the servers.
-                          at the moment.
+                          RoundRobin is the only supported value at the moment.
                         type: string
                       weight:
-                        description: Weight defines the weight and should only be
+                        description: |-
-                          specified when Name references a TraefikService object (and
+                          Weight defines the weight and should only be specified when Name references a TraefikService object
-                          to be precise, one that embeds a Weighted Round Robin).
+                          (and to be precise, one that embeds a Weighted Round Robin).
                         type: integer
                     required:
                     - name
                     type: object
                   status:
-                    description: Status defines which status or range of statuses
+                    description: |-
-                      should result in an error page. It can be either a status code
+                      Status defines which status or range of statuses should result in an error page.
-                      as a number (500), as multiple comma-separated numbers (500,502),
+                      It can be either a status code as a number (500),
-                      as ranges by separating two codes with a dash (500-599), or
+                      as multiple comma-separated numbers (500,502),
-                      a combination of the two (404,418,500-599).
+                      as ranges by separating two codes with a dash (500-599),
+                      or a combination of the two (404,418,500-599).
                     items:
                       type: string
                     type: array
                 type: object
               forwardAuth:
-                description: 'ForwardAuth holds the forward auth middleware configuration.
+                description: |-
+                  ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -360,9 +385,9 @@ spec:
                     description: Address defines the authentication server address.
                     type: string
                   authRequestHeaders:
-                    description: AuthRequestHeaders defines the list of the headers
+                    description: |-
-                      to copy from the request to the authentication server. If not
+                      AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
-                      set or empty then all request headers are passed.
+                      If not set or empty then all request headers are passed.
                     items:
                       type: string
                     type: array
@@ -374,24 +399,27 @@ spec:
                       type: string
                     type: array
                   authResponseHeadersRegex:
-                    description: 'AuthResponseHeadersRegex defines the regex to match
+                    description: |-
-                      headers to copy from the authentication server response and
+                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      set on forwarded request, after stripping all headers that match
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex
-                      the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
                     type: string
                   tls:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
                     properties:
+                      caOptional:
+                        description: 'Deprecated: TLS client authentication is a server
+                          side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).'
+                        type: boolean
                       caSecret:
-                        description: CASecret is the name of the referenced Kubernetes
+                        description: |-
-                          Secret containing the CA to validate the server certificate.
+                          CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
                           The CA certificate is extracted from key `tls.ca` or `ca.crt`.
                         type: string
                       certSecret:
-                        description: CertSecret is the name of the referenced Kubernetes
+                        description: |-
-                          Secret containing the client certificate. The client certificate
+                          CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
-                          is extracted from the keys `tls.crt` and `tls.key`.
+                          The client certificate is extracted from the keys `tls.crt` and `tls.key`.
                         type: string
                       insecureSkipVerify:
                         description: InsecureSkipVerify defines whether the server
@@ -404,20 +432,23 @@ spec:
                     type: boolean
                 type: object
               grpcWeb:
-                description: GrpcWeb holds the gRPC web middleware configuration.
+                description: |-
+                  GrpcWeb holds the gRPC web middleware configuration.
                   This middleware converts a gRPC web request to an HTTP/2 gRPC request.
                 properties:
                   allowOrigins:
-                    description: AllowOrigins is a list of allowable origins. Can
+                    description: |-
-                      also be a wildcard origin "*".
+                      AllowOrigins is a list of allowable origins.
+                      Can also be a wildcard origin "*".
                     items:
                       type: string
                     type: array
                 type: object
               headers:
-                description: 'Headers holds the headers middleware configuration.
+                description: |-
-                  This middleware manages the requests and responses headers. More
+                  Headers holds the headers middleware configuration.
-                  info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
+                  This middleware manages the requests and responses headers.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -482,12 +513,14 @@ spec:
                       header with the nosniff value.
                     type: boolean
                   customBrowserXSSValue:
-                    description: CustomBrowserXSSValue defines the X-XSS-Protection
+                    description: |-
-                      header value. This overrides the BrowserXssFilter option.
+                      CustomBrowserXSSValue defines the X-XSS-Protection header value.
+                      This overrides the BrowserXssFilter option.
                     type: string
                   customFrameOptionsValue:
-                    description: CustomFrameOptionsValue defines the X-Frame-Options
+                    description: |-
-                      header value. This overrides the FrameDeny option.
+                      CustomFrameOptionsValue defines the X-Frame-Options header value.
+                      This overrides the FrameDeny option.
                     type: string
                   customRequestHeaders:
                     additionalProperties:
@@ -501,6 +534,10 @@ spec:
                     description: CustomResponseHeaders defines the header names and
                       values to apply to the response.
                     type: object
+                  featurePolicy:
+                    description: 'Deprecated: FeaturePolicy option is deprecated,
+                      please use PermissionsPolicy instead.'
+                    type: string
                   forceSTSHeader:
                     description: ForceSTSHeader defines whether to add the STS header
                       even when the connection is HTTP.
@@ -516,34 +553,49 @@ spec:
                       type: string
                     type: array
                   isDevelopment:
-                    description: IsDevelopment defines whether to mitigate the unwanted
+                    description: |-
-                      effects of the AllowedHosts, SSL, and STS options when developing.
+                      IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.
-                      Usually testing takes place using HTTP, not HTTPS, and on localhost,
+                      Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.
-                      not your production domain. If you would like your development
+                      If you would like your development environment to mimic production with complete Host blocking, SSL redirects,
-                      environment to mimic production with complete Host blocking,
+                      and STS headers, leave this as false.
-                      SSL redirects, and STS headers, leave this as false.
                     type: boolean
                   permissionsPolicy:
-                    description: PermissionsPolicy defines the Permissions-Policy
+                    description: |-
-                      header value. This allows sites to control browser features.
+                      PermissionsPolicy defines the Permissions-Policy header value.
+                      This allows sites to control browser features.
                     type: string
                   publicKey:
                     description: PublicKey is the public key that implements HPKP
                       to prevent MITM attacks with forged certificates.
                     type: string
                   referrerPolicy:
-                    description: ReferrerPolicy defines the Referrer-Policy header
+                    description: |-
-                      value. This allows sites to control whether browsers forward
+                      ReferrerPolicy defines the Referrer-Policy header value.
-                      the Referer header to other sites.
+                      This allows sites to control whether browsers forward the Referer header to other sites.
+                    type: string
+                  sslForceHost:
+                    description: 'Deprecated: SSLForceHost option is deprecated, please
+                      use RedirectRegex instead.'
+                    type: boolean
+                  sslHost:
+                    description: 'Deprecated: SSLHost option is deprecated, please
+                      use RedirectRegex instead.'
                     type: string
                   sslProxyHeaders:
                     additionalProperties:
                       type: string
-                    description: 'SSLProxyHeaders defines the header keys with associated
+                    description: |-
-                      values that would indicate a valid HTTPS request. It can be
+                      SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
-                      useful when using other proxies (example: "X-Forwarded-Proto":
+                      It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
-                      "https").'
                     type: object
+                  sslRedirect:
+                    description: 'Deprecated: SSLRedirect option is deprecated, please
+                      use EntryPoint redirection or RedirectScheme instead.'
+                    type: boolean
+                  sslTemporaryRedirect:
+                    description: 'Deprecated: SSLTemporaryRedirect option is deprecated,
+                      please use EntryPoint redirection or RedirectScheme instead.'
+                    type: boolean
                   stsIncludeSubdomains:
                     description: STSIncludeSubdomains defines whether the includeSubDomains
                       directive is appended to the Strict-Transport-Security header.
@@ -553,33 +605,35 @@ spec:
                       to the Strict-Transport-Security header.
                     type: boolean
                   stsSeconds:
-                    description: STSSeconds defines the max-age of the Strict-Transport-Security
+                    description: |-
-                      header. If set to 0, the header is not set.
+                      STSSeconds defines the max-age of the Strict-Transport-Security header.
+                      If set to 0, the header is not set.
                     format: int64
                     type: integer
                 type: object
               inFlightReq:
-                description: 'InFlightReq holds the in-flight request middleware configuration.
+                description: |-
-                  This middleware limits the number of requests being processed and
+                  InFlightReq holds the in-flight request middleware configuration.
-                  served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
+                  This middleware limits the number of requests being processed and served concurrently.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/
                 properties:
                   amount:
-                    description: Amount defines the maximum amount of allowed simultaneous
+                    description: |-
-                      in-flight request. The middleware responds with HTTP 429 Too
+                      Amount defines the maximum amount of allowed simultaneous in-flight request.
-                      Many Requests if there are already amount requests in progress
+                      The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
-                      (based on the same sourceCriterion strategy).
                     format: int64
                     type: integer
                   sourceCriterion:
-                    description: 'SourceCriterion defines what criterion is used to
+                    description: |-
-                      group requests as originating from a common source. If several
+                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
-                      strategies are defined at the same time, an error will be raised.
+                      If several strategies are defined at the same time, an error will be raised.
-                      If none are set, the default is to use the requestHost. More
+                      If none are set, the default is to use the requestHost.
-                      info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
-                        description: 'IPStrategy holds the IP strategy configuration
+                        description: |-
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
+                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -605,13 +659,15 @@ spec:
                     type: object
                 type: object
               ipAllowList:
-                description: 'IPAllowList holds the IP allowlist middleware configuration.
+                description: |-
+                  IPAllowList holds the IP allowlist middleware configuration.
                   This middleware accepts / refuses requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
-                    description: 'IPStrategy holds the IP strategy configuration used
+                    description: |-
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
+                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -626,8 +682,9 @@ spec:
                         type: array
                     type: object
                   rejectStatusCode:
-                    description: RejectStatusCode defines the HTTP status code used
+                    description: |-
-                      for refused requests. If not set, the default is 403 (Forbidden).
+                      RejectStatusCode defines the HTTP status code used for refused requests.
+                      If not set, the default is 403 (Forbidden).
                     type: integer
                   sourceRange:
                     description: SourceRange defines the set of allowed IPs (or ranges
@@ -640,8 +697,9 @@ spec:
                 description: 'Deprecated: please use IPAllowList instead.'
                 properties:
                   ipStrategy:
-                    description: 'IPStrategy holds the IP strategy configuration used
+                    description: |-
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
+                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -663,9 +721,10 @@ spec:
                     type: array
                 type: object
               passTLSClientCert:
-                description: 'PassTLSClientCert holds the pass TLS client cert middleware
+                description: |-
-                  configuration. This middleware adds the selected data from the passed
+                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
-                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
+                  This middleware adds the selected data from the passed client TLS certificate to a header.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -766,46 +825,48 @@ spec:
               plugin:
                 additionalProperties:
                   x-kubernetes-preserve-unknown-fields: true
-                description: 'Plugin defines the middleware plugin configuration.
+                description: |-
-                  More info: https://doc.traefik.io/traefik/plugins/'
+                  Plugin defines the middleware plugin configuration.
+                  More info: https://doc.traefik.io/traefik/plugins/
                 type: object
               rateLimit:
-                description: 'RateLimit holds the rate limit configuration. This middleware
+                description: |-
-                  ensures that services will receive a fair amount of requests, and
+                  RateLimit holds the rate limit configuration.
-                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
+                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/
                 properties:
                   average:
-                    description: Average is the maximum rate, by default in requests/s,
+                    description: |-
-                      allowed for the given source. It defaults to 0, which means
+                      Average is the maximum rate, by default in requests/s, allowed for the given source.
-                      no rate limiting. The rate is actually defined by dividing Average
+                      It defaults to 0, which means no rate limiting.
-                      by Period. So for a rate below 1req/s, one needs to define a
+                      The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
-                      Period larger than a second.
+                      one needs to define a Period larger than a second.
                     format: int64
                     type: integer
                   burst:
-                    description: Burst is the maximum number of requests allowed to
+                    description: |-
-                      arrive in the same arbitrarily small period of time. It defaults
+                      Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
-                      to 1.
+                      It defaults to 1.
                     format: int64
                     type: integer
                   period:
                     anyOf:
                     - type: integer
                     - type: string
-                    description: 'Period, in combination with Average, defines the
+                    description: |-
-                      actual maximum rate, such as: r = Average / Period. It defaults
+                      Period, in combination with Average, defines the actual maximum rate, such as:
-                      to a second.'
+                      r = Average / Period. It defaults to a second.
                     x-kubernetes-int-or-string: true
                   sourceCriterion:
-                    description: SourceCriterion defines what criterion is used to
+                    description: |-
-                      group requests as originating from a common source. If several
+                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
-                      strategies are defined at the same time, an error will be raised.
+                      If several strategies are defined at the same time, an error will be raised.
-                      If none are set, the default is to use the request's remote
+                      If none are set, the default is to use the request's remote address field (as an ipStrategy).
-                      address field (as an ipStrategy).
                     properties:
                       ipStrategy:
-                        description: 'IPStrategy holds the IP strategy configuration
+                        description: |-
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
+                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
+                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -831,9 +892,10 @@ spec:
                     type: object
                 type: object
               redirectRegex:
-                description: 'RedirectRegex holds the redirect regex middleware configuration.
+                description: |-
+                  RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -849,9 +911,10 @@ spec:
                     type: string
                 type: object
               redirectScheme:
-                description: 'RedirectScheme holds the redirect scheme middleware
+                description: |-
-                  configuration. This middleware redirects requests from a scheme/port
+                  RedirectScheme holds the redirect scheme middleware configuration.
-                  to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
+                  This middleware redirects requests from a scheme/port to another.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -865,9 +928,10 @@ spec:
                     type: string
                 type: object
               replacePath:
-                description: 'ReplacePath holds the replace path middleware configuration.
+                description: |-
-                  This middleware replaces the path of the request URL and store the
+                  ReplacePath holds the replace path middleware configuration.
-                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
+                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -875,9 +939,10 @@ spec:
                     type: string
                 type: object
               replacePathRegex:
-                description: 'ReplacePathRegex holds the replace path regex middleware
+                description: |-
-                  configuration. This middleware replaces the path of a URL using
+                  ReplacePathRegex holds the replace path regex middleware configuration.
-                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
+                  This middleware replaces the path of a URL using regex matching and replacement.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -889,11 +954,11 @@ spec:
                     type: string
                 type: object
               retry:
-                description: 'Retry holds the retry middleware configuration. This
+                description: |-
-                  middleware reissues requests a given number of times to a backend
+                  Retry holds the retry middleware configuration.
-                  server if that server does not reply. As soon as the server answers,
+                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
-                  the middleware stops retrying, regardless of the response status.
+                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -903,18 +968,26 @@ spec:
                     anyOf:
                     - type: integer
                     - type: string
-                    description: InitialInterval defines the first wait time in the
+                    description: |-
-                      exponential backoff series. The maximum interval is calculated
+                      InitialInterval defines the first wait time in the exponential backoff series.
-                      as twice the initialInterval. If unspecified, requests will
+                      The maximum interval is calculated as twice the initialInterval.
-                      be retried immediately. The value of initialInterval should
+                      If unspecified, requests will be retried immediately.
-                      be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
+                      The value of initialInterval should be provided in seconds or as a valid duration format,
+                      see https://pkg.go.dev/time#ParseDuration.
                     x-kubernetes-int-or-string: true
                 type: object
               stripPrefix:
-                description: 'StripPrefix holds the strip prefix middleware configuration.
+                description: |-
+                  StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/
                 properties:
+                  forceSlash:
+                    description: |-
+                      Deprecated: ForceSlash option is deprecated, please remove any usage of this option.
+                      ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
+                      Default: true.
+                    type: boolean
                   prefixes:
                     description: Prefixes defines the prefixes to strip from the request
                       URL.
@@ -923,9 +996,10 @@ spec:
                     type: array
                 type: object
               stripPrefixRegex:
-                description: 'StripPrefixRegex holds the strip prefix regex middleware
+                description: |-
-                  configuration. This middleware removes the matching prefixes from
+                  StripPrefixRegex holds the strip prefix regex middleware configuration.
-                  the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
+                  This middleware removes the matching prefixes from the URL path.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: middlewaretcps.traefik.io
 spec:
   group: traefik.io
@@ -17,18 +17,24 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+        description: |-
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/'
+          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -39,14 +45,17 @@ spec:
                 description: InFlightConn defines the InFlightConn middleware configuration.
                 properties:
                   amount:
-                    description: Amount defines the maximum amount of allowed simultaneous
+                    description: |-
-                      connections. The middleware closes the connection if there are
+                      Amount defines the maximum amount of allowed simultaneous connections.
-                      already amount connections opened.
+                      The middleware closes the connection if there are already amount connections opened.
                     format: int64
                     type: integer
                 type: object
               ipAllowList:
-                description: IPAllowList defines the IPAllowList middleware configuration.
+                description: |-
+                  IPAllowList defines the IPAllowList middleware configuration.
+                  This middleware accepts/refuses connections based on the client IP.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -56,8 +65,11 @@ spec:
                     type: array
                 type: object
               ipWhiteList:
-                description: 'IPWhiteList defines the IPWhiteList middleware configuration.
+                description: |-
-                  Deprecated: please use IPAllowList instead.'
+                  IPWhiteList defines the IPWhiteList middleware configuration.
+                  This middleware accepts/refuses connections based on the client IP.
+                  Deprecated: please use IPAllowList instead.
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: serverstransports.traefik.io
 spec:
   group: traefik.io
@@ -17,20 +17,26 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'ServersTransport is the CRD implementation of a ServersTransport.
+        description: |-
+          ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1'
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: serverstransporttcps.traefik.io
 spec:
   group: traefik.io
@@ -17,20 +17,26 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+        description: |-
-          If no tcpServersTransport is specified, a default one named default@internal
+          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
-          will be used. The default@internal tcpServersTransport can be configured
+          If no tcpServersTransport is specified, a default one named default@internal will be used.
-          in the static configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3'
+          The default@internal tcpServersTransport can be configured in the static configuration.
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -76,9 +82,9 @@ spec:
                     description: InsecureSkipVerify disables TLS certificate verification.
                     type: boolean
                   peerCertURI:
-                    description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
+                    description: |-
-                      to keep per-host. PeerCertURI defines the peer cert URI used
+                      MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
-                      to match against SAN URI during the peer certificate verification.
+                      PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
                     type: string
                   rootCAsSecrets:
                     description: RootCAsSecrets defines a list of CA secret used to

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: tlsoptions.traefik.io
 spec:
   group: traefik.io
@@ -17,19 +17,24 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
+        description: |-
-          allowing to configure some parameters of the TLS connection. More info:
+          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
+          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -37,15 +42,16 @@ spec:
             description: TLSOptionSpec defines the desired state of a TLSOption.
             properties:
               alpnProtocols:
-                description: 'ALPNProtocols defines the list of supported application
+                description: |-
-                  level protocols for the TLS handshake, in order of preference. More
+                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols'
+                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
-                description: 'CipherSuites defines the list of supported cipher suites
+                description: |-
-                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites'
+                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
+                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -71,21 +77,30 @@ spec:
                     type: array
                 type: object
               curvePreferences:
-                description: 'CurvePreferences defines the preferred elliptic curves
+                description: |-
-                  in a specific order. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences'
+                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array
               maxVersion:
-                description: 'MaxVersion defines the maximum TLS version that Traefik
+                description: |-
-                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  MaxVersion defines the maximum TLS version that Traefik will accept.
-                  VersionTLS13. Default: None.'
+                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+                  Default: None.
                 type: string
               minVersion:
-                description: 'MinVersion defines the minimum TLS version that Traefik
+                description: |-
-                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
+                  MinVersion defines the minimum TLS version that Traefik will accept.
-                  VersionTLS13. Default: VersionTLS10.'
+                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+                  Default: VersionTLS10.
                 type: string
+              preferServerCipherSuites:
+                description: |-
+                  PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
+                  It is enabled automatically when minVersion or maxVersion is set.
+                  Deprecated: https://github.com/golang/go/issues/45430
+                type: boolean
               sniStrict:
                 description: SniStrict defines whether Traefik allows connections
                   from clients connections that do not specify a server_name extension.

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: tlsstores.traefik.io
 spec:
   group: traefik.io
@@ -17,20 +17,26 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
+        description: |-
-          the time being, only the TLSStore named default is supported. This means
+          TLSStore is the CRD implementation of a Traefik TLS Store.
-          that you cannot have two stores that are named default in different Kubernetes
+          For the time being, only the TLSStore named default is supported.
-          namespaces. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores'
+          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
+          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: traefikservices.traefik.io
 spec:
   group: traefik.io
@@ -17,19 +17,27 @@ spec:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: 'TraefikService is the CRD implementation of a Traefik Service.
+        description: |-
-          TraefikService object allows to: - Apply weight to Services on load-balancing
+          TraefikService is the CRD implementation of a Traefik Service.
-          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice'
+          TraefikService object allows to:
+          - Apply weight to Services on load-balancing
+          - Mirror traffic on services
+          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
+            description: |-
-              of an object. Servers should convert recognized schemas to the latest
+              APIVersion defines the versioned schema of this representation of an object.
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
+            description: |-
-              object represents. Servers may infer this from the endpoint the client
+              Kind is a string value representing the REST resource this object represents.
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -46,10 +54,10 @@ spec:
                     - TraefikService
                     type: string
                   maxBodySize:
-                    description: MaxBodySize defines the maximum size allowed for
+                    description: |-
-                      the body of the request. If the body is larger, the request
+                      MaxBodySize defines the maximum size allowed for the body of the request.
-                      is not mirrored. Default value is -1, which means unlimited
+                      If the body is larger, the request is not mirrored.
-                      size.
+                      Default value is -1, which means unlimited size.
                     format: int64
                     type: integer
                   mirrors:
@@ -65,35 +73,37 @@ spec:
                           - TraefikService
                           type: string
                         name:
-                          description: Name defines the name of the referenced Kubernetes
+                          description: |-
-                            Service or TraefikService. The differentiation between
+                            Name defines the name of the referenced Kubernetes Service or TraefikService.
-                            the two is specified in the Kind field.
+                            The differentiation between the two is specified in the Kind field.
                           type: string
                         namespace:
                           description: Namespace defines the namespace of the referenced
                             Kubernetes Service or TraefikService.
                           type: string
                         nativeLB:
-                          description: NativeLB controls, when creating the load-balancer,
+                          description: |-
-                            whether the LB's children are directly the pods IPs or
+                            NativeLB controls, when creating the load-balancer,
-                            if the only child is the Kubernetes Service clusterIP.
+                            whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                            The Kubernetes Service itself does load-balance to the
+                            The Kubernetes Service itself does load-balance to the pods.
-                            pods. By default, NativeLB is false.
+                            By default, NativeLB is false.
                           type: boolean
                         passHostHeader:
-                          description: PassHostHeader defines whether the client Host
+                          description: |-
-                            header is forwarded to the upstream Kubernetes Service.
+                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                             By default, passHostHeader is true.
                           type: boolean
                         percent:
-                          description: 'Percent defines the part of the traffic to
+                          description: |-
-                            mirror. Supported values: 0 to 100.'
+                            Percent defines the part of the traffic to mirror.
+                            Supported values: 0 to 100.
                           type: integer
                         port:
                           anyOf:
                           - type: integer
                           - type: string
-                          description: Port defines the port of a Kubernetes Service.
+                          description: |-
+                            Port defines the port of a Kubernetes Service.
                             This can be a reference to a named port.
                           x-kubernetes-int-or-string: true
                         responseForwarding:
@@ -102,30 +112,29 @@ spec:
                             client.
                           properties:
                             flushInterval:
-                              description: 'FlushInterval defines the interval, in
+                              description: |-
-                                milliseconds, in between flushes to the client while
+                                FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
-                                copying the response body. A negative value means
+                                A negative value means to flush immediately after each write to the client.
-                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
-                                This configuration is ignored when ReverseProxy recognizes
+                                for such responses, writes are flushed to the client immediately.
-                                a response as a streaming response; for such responses,
+                                Default: 100ms
-                                writes are flushed to the client immediately. Default:
-                                100ms'
                               type: string
                           type: object
                         scheme:
-                          description: Scheme defines the scheme to use for the request
+                          description: |-
-                            to the upstream Kubernetes Service. It defaults to https
+                            Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
-                            when Kubernetes Service port is 443, http otherwise.
+                            It defaults to https when Kubernetes Service port is 443, http otherwise.
                           type: string
                         serversTransport:
-                          description: ServersTransport defines the name of ServersTransport
+                          description: |-
-                            resource to use. It allows to configure the transport
+                            ServersTransport defines the name of ServersTransport resource to use.
-                            between Traefik and your servers. Can only be used on
+                            It allows to configure the transport between Traefik and your servers.
-                            a Kubernetes Service.
+                            Can only be used on a Kubernetes Service.
                           type: string
                         sticky:
-                          description: 'Sticky defines the sticky sessions configuration.
+                          description: |-
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
+                            Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -135,17 +144,18 @@ spec:
                                     can be accessed by client-side APIs, such as JavaScript.
                                   type: boolean
                                 maxAge:
-                                  description: MaxAge indicates the number of seconds
+                                  description: |-
-                                    until the cookie expires. When set to a negative
+                                    MaxAge indicates the number of seconds until the cookie expires.
-                                    number, the cookie expires immediately. When set
+                                    When set to a negative number, the cookie expires immediately.
-                                    to zero, the cookie never expires.
+                                    When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
                                 sameSite:
-                                  description: 'SameSite defines the same site policy.
+                                  description: |-
-                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                    SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                                   type: string
                                 secure:
                                   description: Secure defines whether the cookie can
@@ -155,13 +165,13 @@ spec:
                               type: object
                           type: object
                         strategy:
-                          description: Strategy defines the load balancing strategy
+                          description: |-
-                            between the servers. RoundRobin is the only supported
+                            Strategy defines the load balancing strategy between the servers.
-                            value at the moment.
+                            RoundRobin is the only supported value at the moment.
                           type: string
                         weight:
-                          description: Weight defines the weight and should only be
+                          description: |-
-                            specified when Name references a TraefikService object
+                            Weight defines the weight and should only be specified when Name references a TraefikService object
                             (and to be precise, one that embeds a Weighted Round Robin).
                           type: integer
                       required:
@@ -169,60 +179,62 @@ spec:
                       type: object
                     type: array
                   name:
-                    description: Name defines the name of the referenced Kubernetes
+                    description: |-
-                      Service or TraefikService. The differentiation between the two
+                      Name defines the name of the referenced Kubernetes Service or TraefikService.
-                      is specified in the Kind field.
+                      The differentiation between the two is specified in the Kind field.
                     type: string
                   namespace:
                     description: Namespace defines the namespace of the referenced
                       Kubernetes Service or TraefikService.
                     type: string
                   nativeLB:
-                    description: NativeLB controls, when creating the load-balancer,
+                    description: |-
-                      whether the LB's children are directly the pods IPs or if the
+                      NativeLB controls, when creating the load-balancer,
-                      only child is the Kubernetes Service clusterIP. The Kubernetes
+                      whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                      Service itself does load-balance to the pods. By default, NativeLB
+                      The Kubernetes Service itself does load-balance to the pods.
-                      is false.
+                      By default, NativeLB is false.
                     type: boolean
                   passHostHeader:
-                    description: PassHostHeader defines whether the client Host header
+                    description: |-
-                      is forwarded to the upstream Kubernetes Service. By default,
+                      PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
-                      passHostHeader is true.
+                      By default, passHostHeader is true.
                     type: boolean
                   port:
                     anyOf:
                     - type: integer
                     - type: string
-                    description: Port defines the port of a Kubernetes Service. This
+                    description: |-
-                      can be a reference to a named port.
+                      Port defines the port of a Kubernetes Service.
+                      This can be a reference to a named port.
                     x-kubernetes-int-or-string: true
                   responseForwarding:
                     description: ResponseForwarding defines how Traefik forwards the
                       response from the upstream Kubernetes Service to the client.
                     properties:
                       flushInterval:
-                        description: 'FlushInterval defines the interval, in milliseconds,
+                        description: |-
-                          in between flushes to the client while copying the response
+                          FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
-                          body. A negative value means to flush immediately after
+                          A negative value means to flush immediately after each write to the client.
-                          each write to the client. This configuration is ignored
+                          This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
-                          when ReverseProxy recognizes a response as a streaming response;
                           for such responses, writes are flushed to the client immediately.
-                          Default: 100ms'
+                          Default: 100ms
                         type: string
                     type: object
                   scheme:
-                    description: Scheme defines the scheme to use for the request
+                    description: |-
-                      to the upstream Kubernetes Service. It defaults to https when
+                      Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
-                      Kubernetes Service port is 443, http otherwise.
+                      It defaults to https when Kubernetes Service port is 443, http otherwise.
                     type: string
                   serversTransport:
-                    description: ServersTransport defines the name of ServersTransport
+                    description: |-
-                      resource to use. It allows to configure the transport between
+                      ServersTransport defines the name of ServersTransport resource to use.
-                      Traefik and your servers. Can only be used on a Kubernetes Service.
+                      It allows to configure the transport between Traefik and your servers.
+                      Can only be used on a Kubernetes Service.
                     type: string
                   sticky:
-                    description: 'Sticky defines the sticky sessions configuration.
+                    description: |-
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
+                      Sticky defines the sticky sessions configuration.
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -232,17 +244,18 @@ spec:
                               accessed by client-side APIs, such as JavaScript.
                             type: boolean
                           maxAge:
-                            description: MaxAge indicates the number of seconds until
+                            description: |-
-                              the cookie expires. When set to a negative number, the
+                              MaxAge indicates the number of seconds until the cookie expires.
-                              cookie expires immediately. When set to zero, the cookie
+                              When set to a negative number, the cookie expires immediately.
-                              never expires.
+                              When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
                           sameSite:
-                            description: 'SameSite defines the same site policy. More
+                            description: |-
-                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                              SameSite defines the same site policy.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                             type: string
                           secure:
                             description: Secure defines whether the cookie can only
@@ -251,13 +264,14 @@ spec:
                         type: object
                     type: object
                   strategy:
-                    description: Strategy defines the load balancing strategy between
+                    description: |-
-                      the servers. RoundRobin is the only supported value at the moment.
+                      Strategy defines the load balancing strategy between the servers.
+                      RoundRobin is the only supported value at the moment.
                     type: string
                   weight:
-                    description: Weight defines the weight and should only be specified
+                    description: |-
-                      when Name references a TraefikService object (and to be precise,
+                      Weight defines the weight and should only be specified when Name references a TraefikService object
-                      one that embeds a Weighted Round Robin).
+                      (and to be precise, one that embeds a Weighted Round Robin).
                     type: integer
                 required:
                 - name
@@ -279,31 +293,32 @@ spec:
                           - TraefikService
                           type: string
                         name:
-                          description: Name defines the name of the referenced Kubernetes
+                          description: |-
-                            Service or TraefikService. The differentiation between
+                            Name defines the name of the referenced Kubernetes Service or TraefikService.
-                            the two is specified in the Kind field.
+                            The differentiation between the two is specified in the Kind field.
                           type: string
                         namespace:
                           description: Namespace defines the namespace of the referenced
                             Kubernetes Service or TraefikService.
                           type: string
                         nativeLB:
-                          description: NativeLB controls, when creating the load-balancer,
+                          description: |-
-                            whether the LB's children are directly the pods IPs or
+                            NativeLB controls, when creating the load-balancer,
-                            if the only child is the Kubernetes Service clusterIP.
+                            whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
-                            The Kubernetes Service itself does load-balance to the
+                            The Kubernetes Service itself does load-balance to the pods.
-                            pods. By default, NativeLB is false.
+                            By default, NativeLB is false.
                           type: boolean
                         passHostHeader:
-                          description: PassHostHeader defines whether the client Host
+                          description: |-
-                            header is forwarded to the upstream Kubernetes Service.
+                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                             By default, passHostHeader is true.
                           type: boolean
                         port:
                           anyOf:
                           - type: integer
                           - type: string
-                          description: Port defines the port of a Kubernetes Service.
+                          description: |-
+                            Port defines the port of a Kubernetes Service.
                             This can be a reference to a named port.
                           x-kubernetes-int-or-string: true
                         responseForwarding:
@@ -312,30 +327,29 @@ spec:
                             client.
                           properties:
                             flushInterval:
-                              description: 'FlushInterval defines the interval, in
+                              description: |-
-                                milliseconds, in between flushes to the client while
+                                FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
-                                copying the response body. A negative value means
+                                A negative value means to flush immediately after each write to the client.
-                                to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
-                                This configuration is ignored when ReverseProxy recognizes
+                                for such responses, writes are flushed to the client immediately.
-                                a response as a streaming response; for such responses,
+                                Default: 100ms
-                                writes are flushed to the client immediately. Default:
-                                100ms'
                               type: string
                           type: object
                         scheme:
-                          description: Scheme defines the scheme to use for the request
+                          description: |-
-                            to the upstream Kubernetes Service. It defaults to https
+                            Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
-                            when Kubernetes Service port is 443, http otherwise.
+                            It defaults to https when Kubernetes Service port is 443, http otherwise.
                           type: string
                         serversTransport:
-                          description: ServersTransport defines the name of ServersTransport
+                          description: |-
-                            resource to use. It allows to configure the transport
+                            ServersTransport defines the name of ServersTransport resource to use.
-                            between Traefik and your servers. Can only be used on
+                            It allows to configure the transport between Traefik and your servers.
-                            a Kubernetes Service.
+                            Can only be used on a Kubernetes Service.
                           type: string
                         sticky:
-                          description: 'Sticky defines the sticky sessions configuration.
+                          description: |-
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
+                            Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -345,17 +359,18 @@ spec:
                                     can be accessed by client-side APIs, such as JavaScript.
                                   type: boolean
                                 maxAge:
-                                  description: MaxAge indicates the number of seconds
+                                  description: |-
-                                    until the cookie expires. When set to a negative
+                                    MaxAge indicates the number of seconds until the cookie expires.
-                                    number, the cookie expires immediately. When set
+                                    When set to a negative number, the cookie expires immediately.
-                                    to zero, the cookie never expires.
+                                    When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
                                 sameSite:
-                                  description: 'SameSite defines the same site policy.
+                                  description: |-
-                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                                    SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                                   type: string
                                 secure:
                                   description: Secure defines whether the cookie can
@@ -365,13 +380,13 @@ spec:
                               type: object
                           type: object
                         strategy:
-                          description: Strategy defines the load balancing strategy
+                          description: |-
-                            between the servers. RoundRobin is the only supported
+                            Strategy defines the load balancing strategy between the servers.
-                            value at the moment.
+                            RoundRobin is the only supported value at the moment.
                           type: string
                         weight:
-                          description: Weight defines the weight and should only be
+                          description: |-
-                            specified when Name references a TraefikService object
+                            Weight defines the weight and should only be specified when Name references a TraefikService object
                             (and to be precise, one that embeds a Weighted Round Robin).
                           type: integer
                       required:
@@ -379,8 +394,9 @@ spec:
                       type: object
                     type: array
                   sticky:
-                    description: 'Sticky defines whether sticky sessions are enabled.
+                    description: |-
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                      Sticky defines whether sticky sessions are enabled.
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -390,17 +406,18 @@ spec:
                               accessed by client-side APIs, such as JavaScript.
                             type: boolean
                           maxAge:
-                            description: MaxAge indicates the number of seconds until
+                            description: |-
-                              the cookie expires. When set to a negative number, the
+                              MaxAge indicates the number of seconds until the cookie expires.
-                              cookie expires immediately. When set to zero, the cookie
+                              When set to a negative number, the cookie expires immediately.
-                              never expires.
+                              When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
                           sameSite:
-                            description: 'SameSite defines the same site policy. More
+                            description: |-
-                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
+                              SameSite defines the same site policy.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
                             type: string
                           secure:
                             description: Secure defines whether the cookie can only

docs/content/reference/static-configuration/cli-ref.md

@@ -6,6 +6,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 `--accesslog`:  
 Access log settings. (Default: ```false```)
 
+`--accesslog.addinternals`:  
+Enables access log for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `--accesslog.bufferingsize`:  
 Number of access log lines to process in a buffered way. (Default: ```0```)
 
@@ -180,6 +183,9 @@ Trust all. (Default: ```false```)
 `--entrypoints.<name>.proxyprotocol.trustedips`:  
 Trust only selected IPs.
 
+`--entrypoints.<name>.reuseport`:  
+Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. (Default: ```false```)
+
 `--entrypoints.<name>.transport.keepalivemaxrequests`:  
 Maximum number of requests before closing a keep-alive connection. (Default: ```0```)
 
@@ -264,6 +270,9 @@ Maximum size in megabytes of the log file before it gets rotated. (Default: ```0
 `--log.nocolor`:  
 When using the 'common' format, disables the colorized output. (Default: ```false```)
 
+`--metrics.addinternals`:  
+Enables metrics for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `--metrics.datadog`:  
 Datadog metrics exporter type. (Default: ```false```)
 
@@ -315,51 +324,63 @@ InfluxDB v2 push interval. (Default: ```10```)
 `--metrics.influxdb2.token`:  
 InfluxDB v2 access token.
 
-`--metrics.opentelemetry`:  
+`--metrics.otlp`:  
 OpenTelemetry metrics exporter type. (Default: ```false```)
 
-`--metrics.opentelemetry.addentrypointslabels`:  
+`--metrics.otlp.addentrypointslabels`:  
 Enable metrics on entry points. (Default: ```true```)
 
-`--metrics.opentelemetry.address`:  
+`--metrics.otlp.addrouterslabels`:  
-Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
-
-`--metrics.opentelemetry.addrouterslabels`:  
 Enable metrics on routers. (Default: ```false```)
 
-`--metrics.opentelemetry.addserviceslabels`:  
+`--metrics.otlp.addserviceslabels`:  
 Enable metrics on services. (Default: ```true```)
 
-`--metrics.opentelemetry.explicitboundaries`:  
+`--metrics.otlp.explicitboundaries`:  
 Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
 
-`--metrics.opentelemetry.grpc`:  
+`--metrics.otlp.grpc.endpoint`:  
-gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 
-`--metrics.opentelemetry.headers.<name>`:  
+`--metrics.otlp.grpc.headers.<name>`:  
 Headers sent with payload.
 
-`--metrics.opentelemetry.insecure`:  
+`--metrics.otlp.grpc.insecure`:  
 Disables client transport security for the exporter. (Default: ```false```)
 
-`--metrics.opentelemetry.path`:  
+`--metrics.otlp.grpc.tls.ca`:  
-Set the URL path of the collector endpoint.
-
-`--metrics.opentelemetry.pushinterval`:  
-Period between calls to collect a checkpoint. (Default: ```10```)
-
-`--metrics.opentelemetry.tls.ca`:  
 TLS CA
 
-`--metrics.opentelemetry.tls.cert`:  
+`--metrics.otlp.grpc.tls.cert`:  
 TLS cert
 
-`--metrics.opentelemetry.tls.insecureskipverify`:  
+`--metrics.otlp.grpc.tls.insecureskipverify`:  
 TLS insecure skip verify (Default: ```false```)
 
-`--metrics.opentelemetry.tls.key`:  
+`--metrics.otlp.grpc.tls.key`:  
 TLS key
 
+`--metrics.otlp.http.endpoint`:  
+Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
+
+`--metrics.otlp.http.headers.<name>`:  
+Headers sent with payload.
+
+`--metrics.otlp.http.tls.ca`:  
+TLS CA
+
+`--metrics.otlp.http.tls.cert`:  
+TLS cert
+
+`--metrics.otlp.http.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--metrics.otlp.http.tls.key`:  
+TLS key
+
+`--metrics.otlp.pushinterval`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
 `--metrics.prometheus`:  
 Prometheus metrics exporter type. (Default: ```false```)
 
@@ -990,18 +1011,21 @@ Defines the allowed SPIFFE trust domain.
 `--tracing`:  
 OpenTracing configuration. (Default: ```false```)
 
+`--tracing.addinternals`:  
+Enables tracing for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `--tracing.globalattributes.<name>`:  
 Defines additional attributes (key:value) on all spans.
 
-`--tracing.headers.<name>`:  
-Defines additional headers to be sent with the payloads.
-
 `--tracing.otlp`:  
 Settings for OpenTelemetry. (Default: ```false```)
 
 `--tracing.otlp.grpc.endpoint`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 
+`--tracing.otlp.grpc.headers.<name>`:  
+Headers sent with payload.
+
 `--tracing.otlp.grpc.insecure`:  
 Disables client transport security for the exporter. (Default: ```false```)
 
@@ -1018,7 +1042,10 @@ TLS insecure skip verify (Default: ```false```)
 TLS key
 
 `--tracing.otlp.http.endpoint`:  
-Sets the HTTP endpoint (scheme://host:port/v1/traces) of the collector. (Default: ```localhost:4318```)
+Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
+
+`--tracing.otlp.http.headers.<name>`:  
+Headers sent with payload.
 
 `--tracing.otlp.http.tls.ca`:  
 TLS CA

docs/content/reference/static-configuration/env-ref.md

@@ -6,6 +6,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 `TRAEFIK_ACCESSLOG`:  
 Access log settings. (Default: ```false```)
 
+`TRAEFIK_ACCESSLOG_ADDINTERNALS`:  
+Enables access log for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:  
 Number of access log lines to process in a buffered way. (Default: ```0```)
 
@@ -180,6 +183,9 @@ Trust all. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_TRUSTEDIPS`:  
 Trust only selected IPs.
 
+`TRAEFIK_ENTRYPOINTS_<NAME>_REUSEPORT`:  
+Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_KEEPALIVEMAXREQUESTS`:  
 Maximum number of requests before closing a keep-alive connection. (Default: ```0```)
 
@@ -264,6 +270,9 @@ Maximum size in megabytes of the log file before it gets rotated. (Default: ```0
 `TRAEFIK_LOG_NOCOLOR`:  
 When using the 'common' format, disables the colorized output. (Default: ```false```)
 
+`TRAEFIK_METRICS_ADDINTERNALS`:  
+Enables metrics for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `TRAEFIK_METRICS_DATADOG`:  
 Datadog metrics exporter type. (Default: ```false```)
 
@@ -315,51 +324,63 @@ InfluxDB v2 push interval. (Default: ```10```)
 `TRAEFIK_METRICS_INFLUXDB2_TOKEN`:  
 InfluxDB v2 access token.
 
-`TRAEFIK_METRICS_OPENTELEMETRY`:  
+`TRAEFIK_METRICS_OTLP`:  
 OpenTelemetry metrics exporter type. (Default: ```false```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_ADDENTRYPOINTSLABELS`:  
+`TRAEFIK_METRICS_OTLP_ADDENTRYPOINTSLABELS`:  
 Enable metrics on entry points. (Default: ```true```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_ADDRESS`:  
+`TRAEFIK_METRICS_OTLP_ADDROUTERSLABELS`:  
-Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
-
-`TRAEFIK_METRICS_OPENTELEMETRY_ADDROUTERSLABELS`:  
 Enable metrics on routers. (Default: ```false```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_ADDSERVICESLABELS`:  
+`TRAEFIK_METRICS_OTLP_ADDSERVICESLABELS`:  
 Enable metrics on services. (Default: ```true```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_EXPLICITBOUNDARIES`:  
+`TRAEFIK_METRICS_OTLP_EXPLICITBOUNDARIES`:  
 Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_GRPC`:  
+`TRAEFIK_METRICS_OTLP_GRPC_ENDPOINT`:  
-gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_HEADERS_<NAME>`:  
+`TRAEFIK_METRICS_OTLP_GRPC_HEADERS_<NAME>`:  
 Headers sent with payload.
 
-`TRAEFIK_METRICS_OPENTELEMETRY_INSECURE`:  
+`TRAEFIK_METRICS_OTLP_GRPC_INSECURE`:  
 Disables client transport security for the exporter. (Default: ```false```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_PATH`:  
+`TRAEFIK_METRICS_OTLP_GRPC_TLS_CA`:  
-Set the URL path of the collector endpoint.
-
-`TRAEFIK_METRICS_OPENTELEMETRY_PUSHINTERVAL`:  
-Period between calls to collect a checkpoint. (Default: ```10```)
-
-`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CERT`:  
+`TRAEFIK_METRICS_OTLP_GRPC_TLS_CERT`:  
 TLS cert
 
-`TRAEFIK_METRICS_OPENTELEMETRY_TLS_INSECURESKIPVERIFY`:  
+`TRAEFIK_METRICS_OTLP_GRPC_TLS_INSECURESKIPVERIFY`:  
 TLS insecure skip verify (Default: ```false```)
 
-`TRAEFIK_METRICS_OPENTELEMETRY_TLS_KEY`:  
+`TRAEFIK_METRICS_OTLP_GRPC_TLS_KEY`:  
 TLS key
 
+`TRAEFIK_METRICS_OTLP_HTTP_ENDPOINT`:  
+Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
+
+`TRAEFIK_METRICS_OTLP_HTTP_HEADERS_<NAME>`:  
+Headers sent with payload.
+
+`TRAEFIK_METRICS_OTLP_HTTP_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_METRICS_OTLP_HTTP_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_METRICS_OTLP_HTTP_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_METRICS_OTLP_HTTP_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_METRICS_OTLP_PUSHINTERVAL`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
 `TRAEFIK_METRICS_PROMETHEUS`:  
 Prometheus metrics exporter type. (Default: ```false```)
 
@@ -990,18 +1011,21 @@ Defines the allowed SPIFFE trust domain.
 `TRAEFIK_TRACING`:  
 OpenTracing configuration. (Default: ```false```)
 
+`TRAEFIK_TRACING_ADDINTERNALS`:  
+Enables tracing for internal services (ping, dashboard, etc...). (Default: ```false```)
+
 `TRAEFIK_TRACING_GLOBALATTRIBUTES_<NAME>`:  
 Defines additional attributes (key:value) on all spans.
 
-`TRAEFIK_TRACING_HEADERS_<NAME>`:  
-Defines additional headers to be sent with the payloads.
-
 `TRAEFIK_TRACING_OTLP`:  
 Settings for OpenTelemetry. (Default: ```false```)
 
 `TRAEFIK_TRACING_OTLP_GRPC_ENDPOINT`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 
+`TRAEFIK_TRACING_OTLP_GRPC_HEADERS_<NAME>`:  
+Headers sent with payload.
+
 `TRAEFIK_TRACING_OTLP_GRPC_INSECURE`:  
 Disables client transport security for the exporter. (Default: ```false```)
 
@@ -1018,7 +1042,10 @@ TLS insecure skip verify (Default: ```false```)
 TLS key
 
 `TRAEFIK_TRACING_OTLP_HTTP_ENDPOINT`:  
-Sets the HTTP endpoint (scheme://host:port/v1/traces) of the collector. (Default: ```localhost:4318```)
+Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
+
+`TRAEFIK_TRACING_OTLP_HTTP_HEADERS_<NAME>`:  
+Headers sent with payload.
 
 `TRAEFIK_TRACING_OTLP_HTTP_TLS_CA`:  
 TLS CA

docs/content/reference/static-configuration/file.toml

@@ -30,6 +30,7 @@
 [entryPoints]
   [entryPoints.EntryPoint0]
     address = "foobar"
+    reusePort = true
     asDefault = true
     [entryPoints.EntryPoint0.transport]
       keepAliveMaxTime = "42s"
@@ -276,6 +277,7 @@
   disableDashboardAd = true
 
 [metrics]
+  addInternals = true
   [metrics.prometheus]
     buckets = [42.0, 42.0]
     addEntryPointsLabels = true
@@ -312,24 +314,33 @@
     [metrics.influxDB2.additionalLabels]
       name0 = "foobar"
       name1 = "foobar"
-  [metrics.openTelemetry]
+  [metrics.otlp]
-    address = "foobar"
     addEntryPointsLabels = true
     addRoutersLabels = true
     addServicesLabels = true
     explicitBoundaries = [42.0, 42.0]
-    insecure = true
-    path = "foobar"
     pushInterval = "42s"
-    [metrics.openTelemetry.grpc]
+    [metrics.otlp.grpc]
-    [metrics.openTelemetry.headers]
+      endpoint = "foobar"
-      name0 = "foobar"
+      insecure = true
-      name1 = "foobar"
+      [metrics.otlp.grpc.tls]
-    [metrics.openTelemetry.tls]
+        ca = "foobar"
-      ca = "foobar"
+        cert = "foobar"
-      cert = "foobar"
+        key = "foobar"
-      key = "foobar"
+        insecureSkipVerify = true
-      insecureSkipVerify = true
+      [metrics.otlp.grpc.headers]
+        name0 = "foobar"
+        name1 = "foobar"
+    [metrics.otlp.http]
+      endpoint = "foobar"
+      [metrics.otlp.http.tls]
+        ca = "foobar"
+        cert = "foobar"
+        key = "foobar"
+        insecureSkipVerify = true
+      [metrics.otlp.http.headers]
+        name0 = "foobar"
+        name1 = "foobar"
 
 [ping]
   entryPoint = "foobar"
@@ -350,6 +361,7 @@
   filePath = "foobar"
   format = "foobar"
   bufferingSize = 42
+  addInternals = true
   [accessLog.filters]
     statusCodes = ["foobar", "foobar"]
     retryAttempts = true
@@ -368,9 +380,7 @@
 [tracing]
   serviceName = "foobar"
   sampleRate = 42.0
-  [tracing.headers]
+  addInternals = true
-    name0 = "foobar"
-    name1 = "foobar"
   [tracing.globalAttributes]
     name0 = "foobar"
     name1 = "foobar"
@@ -383,6 +393,9 @@
         cert = "foobar"
         key = "foobar"
         insecureSkipVerify = true
+      [tracing.otlp.grpc.headers]
+        name0 = "foobar"
+        name1 = "foobar"
     [tracing.otlp.http]
       endpoint = "foobar"
       [tracing.otlp.http.tls]
@@ -390,6 +403,9 @@
         cert = "foobar"
         key = "foobar"
         insecureSkipVerify = true
+      [tracing.otlp.http.headers]
+        name0 = "foobar"
+        name1 = "foobar"
 
 [hostResolver]
   cnameFlattening = true

docs/content/reference/static-configuration/file.yaml

@@ -35,6 +35,7 @@ tcpServersTransport:
 entryPoints:
   EntryPoint0:
     address: foobar
+    reusePort: true
     asDefault: true
     transport:
       lifeCycle:
@@ -307,6 +308,7 @@ api:
   debug: true
   disableDashboardAd: true
 metrics:
+  addInternals: true
   prometheus:
     buckets:
       - 42
@@ -345,26 +347,35 @@ metrics:
     additionalLabels:
       name0: foobar
       name1: foobar
-  openTelemetry:
+  otlp:
-    grpc: {}
+    grpc:
-    address: foobar
+      endpoint: foobar
+      insecure: true
+      tls:
+        ca: foobar
+        cert: foobar
+        key: foobar
+        insecureSkipVerify: true
+      headers:
+        name0: foobar
+        name1: foobar
+    http:
+      endpoint: foobar
+      tls:
+        ca: foobar
+        cert: foobar
+        key: foobar
+        insecureSkipVerify: true
+      headers:
+        name0: foobar
+        name1: foobar
     addEntryPointsLabels: true
     addRoutersLabels: true
     addServicesLabels: true
     explicitBoundaries:
       - 42
       - 42
-    headers:
-      name0: foobar
-      name1: foobar
-    insecure: true
-    path: foobar
     pushInterval: 42s
-    tls:
-      ca: foobar
-      cert: foobar
-      key: foobar
-      insecureSkipVerify: true
 ping:
   entryPoint: foobar
   manualRouting: true
@@ -398,15 +409,14 @@ accessLog:
         name0: foobar
         name1: foobar
   bufferingSize: 42
+  addInternals: true
 tracing:
   serviceName: foobar
-  headers:
-    name0: foobar
-    name1: foobar
   globalAttributes:
     name0: foobar
     name1: foobar
   sampleRate: 42
+  addInternals: true
   otlp:
     grpc:
       endpoint: foobar
@@ -416,6 +426,9 @@ tracing:
         cert: foobar
         key: foobar
         insecureSkipVerify: true
+      headers:
+        name0: foobar
+        name1: foobar
     http:
       endpoint: foobar
       tls:
@@ -423,6 +436,9 @@ tracing:
         cert: foobar
         key: foobar
         insecureSkipVerify: true
+      headers:
+        name0: foobar
+        name1: foobar
 hostResolver:
   cnameFlattening: true
   resolvConfig: foobar

docs/content/routing/entrypoints.md

@@ -233,6 +233,79 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
 
     Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
 
+### ReusePort
+
+_Optional, Default=false_
+
+The `ReusePort` option enables EntryPoints from the same or different processes
+listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option.
+It also allows the kernel to act like a load balancer to distribute incoming
+connections between entry points.
+
+For example, you can use it with the [transport.lifeCycle](#lifecycle) to do
+canary deployments against Traefik itself. Like upgrading Traefik version or
+reloading the static configuration without any service downtime.
+
+!!! warning "Supported platforms"
+
+    The `ReusePort` option currently works only on Linux, FreeBSD, OpenBSD and Darwin.
+    It will be ignored on other platforms.
+
+    There is a known bug in the Linux kernel that may cause unintended TCP connection failures when using the `ReusePort` option.
+    For more details, see https://lwn.net/Articles/853637/.
+
+??? example "Listen on the same port"
+
+    ```yaml tab="File (yaml)"
+    entryPoints:
+      web:
+        address: ":80"
+        reusePort: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints.web]
+      address = ":80"
+      reusePort = true
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.web.reusePort=true
+    ```
+
+    Now it is possible to run multiple Traefik processes with the same EntryPoint configuration.
+
+??? example "Listen on the same port but bind to a different host"
+
+    ```yaml tab="File (yaml)"
+    entryPoints:
+      web:
+        address: ":80"
+        reusePort: true
+      privateWeb:
+        address: "192.168.1.2:80"
+        reusePort: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints.web]
+      address = ":80"
+      reusePort = true
+    [entryPoints.privateWeb]
+      address = "192.168.1.2:80"
+      reusePort = true
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.web.reusePort=true
+    --entrypoints.privateWeb.address=192.168.1.2:80
+    --entrypoints.privateWeb.reusePort=true
+    ```
+
+    Requests to `192.168.1.2:80` will only be handled by routers that have `privateWeb` as the entry point.
+
 ### AsDefault
 
 _Optional, Default=false_
@@ -650,7 +723,7 @@ The maximum number of requests Traefik can handle before sending a `Connection:
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.name.address=:8888
-    --entryPoints.name.transport.keepAliveRequests=42
+    --entryPoints.name.transport.keepAliveMaxRequests=42
     ```
 
 #### `keepAliveMaxTime`
@@ -680,7 +753,7 @@ The maximum duration Traefik can handle requests before sending a `Connection: C
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.name.address=:8888
-    --entryPoints.name.transport.keepAliveTime=42s
+    --entryPoints.name.transport.keepAliveMaxTime=42s
     ```
 
 ### ProxyProtocol

docs/content/routing/services/index.md

@@ -1617,6 +1617,46 @@ Below are the available options for the PROXY protocol:
           version = 1
     ```
 
+#### Termination Delay
+
+!!! warning
+
+    Deprecated in favor of [`serversTransport.terminationDelay`](#terminationdelay).
+    Please note that if any `serversTransport` configuration on the servers load balancer is found,
+    it will take precedence over the servers load balancer `terminationDelay` value,
+    even if the `serversTransport.terminationDelay` is undefined.
+
+As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).
+The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).
+
+However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well,
+the connection would stay half-open, which would lock resources for however long.
+
+To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.
+
+The termination delay controls that deadline.
+It is a duration in milliseconds, defaulting to 100.
+A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).
+
+??? example "A Service with a termination delay -- Using the [File Provider](../../providers/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    tcp:
+      services:
+        my-service:
+          loadBalancer:
+            terminationDelay: 200
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [tcp.services]
+      [tcp.services.my-service.loadBalancer]
+        [[tcp.services.my-service.loadBalancer]]
+          terminationDelay = 200
+    ```
+
 ### Weighted Round Robin
 
 The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights.

docs/mkdocs.yml

@@ -149,11 +149,16 @@ nav:
       - 'API': 'operations/api.md'
       - 'Ping': 'operations/ping.md'
   - 'Observability':
+      - 'Overview': 'observability/overview.md'
       - 'Logs': 'observability/logs.md'
       - 'Access Logs': 'observability/access-logs.md'
       - 'Metrics':
           - 'Overview': 'observability/metrics/overview.md'
+          - 'Datadog': 'observability/metrics/datadog.md'
+          - 'InfluxDB2': 'observability/metrics/influxdb2.md'
           - 'OpenTelemetry': 'observability/metrics/opentelemetry.md'
+          - 'Prometheus': 'observability/metrics/prometheus.md'
+          - 'StatsD': 'observability/metrics/statsd.md'
       - 'Tracing':
           - 'Overview': 'observability/tracing/overview.md'
           - 'OpenTelemetry': 'observability/tracing/opentelemetry.md'

go.mod

@@ -1,6 +1,6 @@
 module github.com/traefik/traefik/v3
 
-go 1.21
+go 1.22
 
 require (
 	github.com/BurntSushi/toml v1.3.2
@@ -17,7 +17,7 @@ require (
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/structs v1.1.0
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/go-acme/lego/v4 v4.14.0
+	github.com/go-acme/lego/v4 v4.15.0
 	github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea
 	github.com/golang/protobuf v1.5.3
 	github.com/google/go-github/v28 v28.1.1
@@ -26,7 +26,7 @@ require (
 	github.com/hashicorp/consul/api v1.26.1
 	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/hashicorp/go-retryablehttp v0.7.5
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/nomad/api v0.0.0-20240122103822-8a4bd61caf74
 	github.com/http-wasm/http-wasm-host-go v0.5.2
@@ -39,7 +39,7 @@ require (
 	github.com/kvtools/valkeyrie v1.0.0
 	github.com/kvtools/zookeeper v1.0.2
 	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.58
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
@@ -78,11 +78,12 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.21.0
 	go.opentelemetry.io/otel/trace v1.21.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/mod v0.13.0
+	golang.org/x/mod v0.14.0
-	golang.org/x/net v0.17.0
+	golang.org/x/net v0.20.0
-	golang.org/x/text v0.13.0
+	golang.org/x/sys v0.16.0
-	golang.org/x/time v0.3.0
+	golang.org/x/text v0.14.0
-	golang.org/x/tools v0.14.0
+	golang.org/x/time v0.5.0
+	golang.org/x/tools v0.17.0
 	google.golang.org/grpc v1.59.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.28.4
@@ -108,8 +109,8 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
@@ -128,26 +129,27 @@ require (
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1755 // indirect
 	github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.18.28 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.27 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.40 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.34 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.28.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.34.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.37.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.19.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/smithy-go v1.14.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bytedance/sonic v1.10.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/civo/civogo v0.3.11 // indirect
-	github.com/cloudflare/cloudflare-go v0.70.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.86.0 // indirect
 	github.com/containerd/containerd v1.7.11 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
@@ -164,12 +166,12 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
-	github.com/exoscale/egoscale v0.100.1 // indirect
+	github.com/exoscale/egoscale v0.102.3 // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -178,9 +180,10 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-playground/validator/v10 v10.15.1 // indirect
-	github.com/go-resty/resty/v2 v2.7.0 // indirect
+	github.com/go-resty/resty/v2 v2.11.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
@@ -220,10 +223,9 @@ require (
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
-	github.com/linode/linodego v1.17.2 // indirect
+	github.com/linode/linodego v1.28.0 // indirect
-	github.com/liquidweb/go-lwApi v0.0.5 // indirect
 	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
-	github.com/liquidweb/liquidweb-go v1.6.3 // indirect
+	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
@@ -247,13 +249,14 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20230728143221-c9dda82568d9 // indirect
 	github.com/nrdcg/desec v0.7.0 // indirect
 	github.com/nrdcg/dnspod-go v0.4.0 // indirect
 	github.com/nrdcg/freemyip v0.2.0 // indirect
-	github.com/nrdcg/goinwx v0.8.2 // indirect
+	github.com/nrdcg/goinwx v0.10.0 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
-	github.com/nrdcg/porkbun v0.2.0 // indirect
+	github.com/nrdcg/porkbun v0.3.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
@@ -261,7 +264,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/opencontainers/runc v1.1.5 // indirect
 	github.com/oracle/oci-go-sdk v24.3.0+incompatible // indirect
-	github.com/ovh/go-ovh v1.4.1 // indirect
+	github.com/ovh/go-ovh v1.4.3 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -277,13 +280,12 @@ require (
 	github.com/sacloud/go-http v0.1.6 // indirect
 	github.com/sacloud/iaas-api-go v1.11.1 // indirect
 	github.com/sacloud/packages-go v0.0.9 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.17 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.22 // indirect
 	github.com/shirou/gopsutil/v3 v3.23.11 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/simplesurance/bunny-go v0.0.0-20221115111006-e11d9dc91f04 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.1.2 // indirect
+	github.com/softlayer/softlayer-go v1.1.3 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -294,8 +296,8 @@ require (
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
-	github.com/transip/gotransip/v6 v6.20.0 // indirect
+	github.com/transip/gotransip/v6 v6.23.0 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.5.0-20230427130837-23c9b0c // indirect
+	github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
 	github.com/vultr/govultr/v2 v2.17.2 // indirect
 	github.com/yandex-cloud/go-genproto v0.0.0-20220805142335-27b56ddae16f // indirect
@@ -313,10 +315,9 @@ require (
 	go.uber.org/ratelimit v0.2.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
-	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/oauth2 v0.16.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.16.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
 	google.golang.org/api v0.128.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
@@ -326,7 +327,7 @@ require (
 	gopkg.in/h2non/gock.v1 v1.0.16 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.7.6 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.7.13 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect

go.sum

@@ -42,11 +42,11 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg6
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
-github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A=
+github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
-github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U=
+github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
-github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg=
+github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc=
-github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
+github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
 github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
 github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4=
@@ -122,39 +122,36 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.44.327 h1:ZS8oO4+7MOBLhkdwIhgtVeDzCeWOlTfKJS7EgggbIEY=
 github.com/aws/aws-sdk-go v1.44.327/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
-github.com/aws/aws-sdk-go-v2 v1.19.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
-github.com/aws/aws-sdk-go-v2 v1.20.3 h1:lgeKmAZhlj1JqN43bogrM75spIvYnRxqTAh1iupu1yE=
+github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2 v1.20.3/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
+github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
-github.com/aws/aws-sdk-go-v2/config v1.18.28 h1:TINEaKyh1Td64tqFvn09iYpKiWjmHYrG1fa91q2gnqw=
+github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
-github.com/aws/aws-sdk-go-v2/config v1.18.28/go.mod h1:nIL+4/8JdAuNHEjn/gPEXqtnS02Q3NXB/9Z7o5xE4+A=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.27 h1:dz0yr/yR1jweAnsCx+BmjerUILVPQ6FS5AwF/OyG1kA=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.27/go.mod h1:syOqAek45ZXZp29HlnRS/BNgMIW6uiRmeuQsz4Qh2UE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5 h1:kP3Me6Fy3vdi+9uHd7YLr6ewPxRL+PU6y15urfTaamU=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.5/go.mod h1:Gj7tm95r+QsDoN2Fhuz/3npQvcZbkEf5mL70n3Xfluc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.35/go.mod h1:ipR5PvpSPqIqL5Mi82BxLnfMkHVbmco8kUwO2xrCi0M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.40 h1:CXceCS9BrDInRc74GDCQ8Qyk/Gp9VLdK+Rlve+zELSE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.40/go.mod h1:5kKmFhLeOVy6pwPDpDNA6/hK/d6URC98pqDDqHgdBx4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.29/go.mod h1:M/eUABlDbw2uVrdAn+UsI6M727qp2fxkp8K0ejcBDUY=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.34 h1:B+nZtd22cbko5+793hg7LEaTeLMiZwlgCLUrN5Y0uzg=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.34/go.mod h1:RZP0scceAyhMIQ9JvFp7HvkpcgqjL4l/4C+7RAeGbuM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36 h1:8r5m1BoAWkn0TDC34lUculryf7nUF25EgIMdjvGCkgo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.36/go.mod h1:Rmw2M1hMVTwiUhjwMoIBFWFJMhvJbct06sSidxInkhY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.29/go.mod h1:fDbkK4o7fpPXWn8YAPmTieAMuB9mk/VgvW64uaUqxd4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.34 h1:JwvXk+1ePAD9xkFHprhHYqwsxLDcbNFsPI1IAT2sPS0=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.34.0 h1:LvWkxBi/bsWHqj3bFTUuDLl4OAlbaM1HDZ9YPhj5+jg=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.34/go.mod h1:ytsF+t+FApY2lFnN51fJKPhH6ICKOPXKEcwwgmJEdWI=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.34.0/go.mod h1:35MKNS46RX7Lb9EIFP2bPy3WrJu+bxU6QgLis8K1aa4=
-github.com/aws/aws-sdk-go-v2/service/lightsail v1.27.2 h1:PwNeYoonBzmTdCztKiiutws3U24KrnDBuabzRfIlZY4=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.37.0 h1:f3hBZWtpn9clZGXJoqahQeec9ZPZnu22g8pg+zNyif0=
-github.com/aws/aws-sdk-go-v2/service/lightsail v1.27.2/go.mod h1:gQhLZrTEath4zik5ixIe6axvgY5jJrgSBDJ360Fxnco=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.37.0/go.mod h1:8qqfpG4mug2JLlEyWPSFhEGvJiaZ9iPmMDDMYc5Xtas=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.28.4 h1:p4mTxJfCAyiTT4Wp6p/mOPa6j5MqCSRGot8qZwFs+Z0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.28.4/go.mod h1:VBLWpaHvhQNeu7N9rMEf00SWeOONb/HvaDUxe/7b44k=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.12.13 h1:sWDv7cMITPcZ21QdreULwxOOAmE05JjEsT6fCDtDA9k=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
-github.com/aws/aws-sdk-go-v2/service/sso v1.12.13/go.mod h1:DfX0sWuT46KpcqbMhJ9QWtxAIP1VozkDWf8VAkByjYY=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13 h1:BFubHS/xN5bjl818QaroN6mQdjneYQ+AOx44KNXlyH4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.13/go.mod h1:BzqsVVFduubEmzrVtUFQQIQdFqvUItF8XUq2EnS8Wog=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/aws-sdk-go-v2/service/sts v1.19.3 h1:e5mnydVdCVWxP+5rPAGi2PYxC7u2OZgH1ypC114H04U=
+github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
-github.com/aws/aws-sdk-go-v2/service/sts v1.19.3/go.mod h1:yVGZA1CPkmUhBdA039jXNJJG7/6t+G+EBWmFq23xqnY=
+github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
-github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ=
-github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -199,8 +196,8 @@ github.com/civo/civogo v0.3.11 h1:mON/fyrV946Sbk6paRtOSGsN+asCgCmHCgArf5xmGxM=
 github.com/civo/civogo v0.3.11/go.mod h1:7+GeeFwc4AYTULaEshpT2vIcl3Qq8HPoxA17viX3l6g=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/cloudflare-go v0.70.0 h1:4opGbUygM8DjirUuaz23jn3akuAcnOCEx+0nQtQEcFo=
+github.com/cloudflare/cloudflare-go v0.86.0 h1:jEKN5VHNYNYtfDL2lUFLTRo+nOVNPFxpXTstVx0rqHI=
-github.com/cloudflare/cloudflare-go v0.70.0/go.mod h1:VW6GuazkaZ4xEDkFt24lkXQUsE8q7BiGqDniC2s8WEM=
+github.com/cloudflare/cloudflare-go v0.86.0/go.mod h1:wYW/5UP02TUfBToa/yKbQHV+r6h1NnJ1Je7XjuGM4Jw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
@@ -306,8 +303,8 @@ github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ
 github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc=
 github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
-github.com/exoscale/egoscale v0.100.1 h1:iXsV1Ei7daqe/6FYSCSDyrFs1iUG1l1X9qNh2uMw6z0=
+github.com/exoscale/egoscale v0.102.3 h1:DYqN2ipoLKpiFoprRGQkp2av/Ze7sUYYlGhi1N62tfY=
-github.com/exoscale/egoscale v0.100.1/go.mod h1:BAb9p4rmyU+Wl400CJZO5270H2sXtdsZjLcm5xMKkz4=
+github.com/exoscale/egoscale v0.102.3/go.mod h1:RPf2Gah6up+6kAEayHTQwqapzXlm93f0VQas/UEGU5c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
@@ -338,15 +335,15 @@ github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwv
 github.com/gin-gonic/gin v1.7.4/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
 github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
 github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
-github.com/go-acme/lego/v4 v4.14.0 h1:/skZoRHgVh0d2RK7l1g3Ch8HqeqP9LB8ZEjLdGEpcDE=
+github.com/go-acme/lego/v4 v4.15.0 h1:A7MHEU3b+TDFqhC/HmzMJnzPbyeaYvMZQBbqgvbThhU=
-github.com/go-acme/lego/v4 v4.14.0/go.mod h1:zjmvNCDLGz7GrC1OqdVpVmZFKSRabEDtWbdzmcpBsGo=
+github.com/go-acme/lego/v4 v4.15.0/go.mod h1:eeGhjW4zWT7Ccqa3sY7ayEqFLCAICx+mXgkMHKIkLxg=
 github.com/go-chi/chi/v5 v5.0.0/go.mod h1:BBug9lr0cqtdAhsu6R4AAdvufI0/XBzAQSsUqJpoZOs=
 github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
+github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea h1:CnEQOUv4ilElSwFB9g/lVmz206oLE4aNZDYngIY1Gvg=
@@ -390,8 +387,8 @@ github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn
 github.com/go-playground/validator/v10 v10.9.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos=
 github.com/go-playground/validator/v10 v10.15.1 h1:BSe8uhN+xQ4r5guV/ywQI4gO59C2raYcGffYWZEjZzM=
 github.com/go-playground/validator/v10 v10.15.1/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
-github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
+github.com/go-resty/resty/v2 v2.11.0 h1:i7jMfNOJYMp69lq7qozJP+bjgzfAzeOhuGlyDrqxT/8=
-github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
+github.com/go-resty/resty/v2 v2.11.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -480,7 +477,6 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -569,8 +565,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
+github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
@@ -709,15 +705,13 @@ github.com/lestrrat-go/jwx v1.2.7/go.mod h1:bw24IXWbavc0R2RsOtpXL7RtMyP589yZ1+L7
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
-github.com/linode/linodego v1.17.2 h1:b32dj4662PGG5P9qVa6nBezccWdqgukndlMIuPGq1CQ=
+github.com/linode/linodego v1.28.0 h1:lzxxJebsYg5cCWRNDLyL2StW3sfMyAwf/FYfxFjFrlk=
-github.com/linode/linodego v1.17.2/go.mod h1:C2iyT3Vg2O2sPxkWka4XAQ5WSUtm5LmTZ3Adw43Ra7Q=
+github.com/linode/linodego v1.28.0/go.mod h1:5oAsx+uinHtVo6U77nXXXtox7MWzUW6aEkTOKXxA9uo=
 github.com/liquidweb/go-lwApi v0.0.0-20190605172801-52a4864d2738/go.mod h1:0sYF9rMXb0vlG+4SzdiGMXHheCZxjguMq+Zb4S2BfBs=
-github.com/liquidweb/go-lwApi v0.0.5 h1:CT4cdXzJXmo0bon298kS7NeSk+Gt8/UHpWBBol1NGCA=
-github.com/liquidweb/go-lwApi v0.0.5/go.mod h1:0sYF9rMXb0vlG+4SzdiGMXHheCZxjguMq+Zb4S2BfBs=
 github.com/liquidweb/liquidweb-cli v0.6.9 h1:acbIvdRauiwbxIsOCEMXGwF75aSJDbDiyAWPjVnwoYM=
 github.com/liquidweb/liquidweb-cli v0.6.9/go.mod h1:cE1uvQ+x24NGUL75D0QagOFCG8Wdvmwu8aL9TLmA/eQ=
-github.com/liquidweb/liquidweb-go v1.6.3 h1:NVHvcnX3eb3BltiIoA+gLYn15nOpkYkdizOEYGSKrk4=
+github.com/liquidweb/liquidweb-go v1.6.4 h1:6S0m3hHSpiLqGD7AFSb7lH/W/qr1wx+tKil9fgIbjMc=
-github.com/liquidweb/liquidweb-go v1.6.3/go.mod h1:SuXXp+thr28LnjEw18AYtWwIbWMHSUiajPQs8T9c/Rc=
+github.com/liquidweb/liquidweb-go v1.6.4/go.mod h1:B934JPIIcdA+uTq2Nz5PgOtG6CuCaEvQKe/Ge/5GgZ4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
@@ -771,8 +765,8 @@ github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3N
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/miekg/dns v1.1.47/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mimuret/golang-iij-dpf v0.9.1 h1:Gj6EhHJkOhr+q2RnvRPJsPMcjuVnWPSccEHyoEehU34=
 github.com/mimuret/golang-iij-dpf v0.9.1/go.mod h1:sl9KyOkESib9+KRD3HaGpgi1xk7eoN2+d96LCLsME2M=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
@@ -839,20 +833,22 @@ github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uY
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nrdcg/auroradns v1.1.0 h1:KekGh8kmf2MNwqZVVYo/fw/ZONt8QMEmbMFOeljteWo=
 github.com/nrdcg/auroradns v1.1.0/go.mod h1:O7tViUZbAcnykVnrGkXzIJTHoQCHcgalgAe6X1mzHfk=
+github.com/nrdcg/bunny-go v0.0.0-20230728143221-c9dda82568d9 h1:qpB3wZR4+MPK92cTC9zZPnndkJgDgPvQqPUAgVc1NXU=
+github.com/nrdcg/bunny-go v0.0.0-20230728143221-c9dda82568d9/go.mod h1:HUoHXDrFvidN1NK9Wb/mZKNOfDNutKkzF2Pg71M9hHA=
 github.com/nrdcg/desec v0.7.0 h1:iuGhi4pstF3+vJWwt292Oqe2+AsSPKDynQna/eu1fDs=
 github.com/nrdcg/desec v0.7.0/go.mod h1:e1uRqqKv1mJdd5+SQROAhmy75lKMphLzWIuASLkpeFY=
 github.com/nrdcg/dnspod-go v0.4.0 h1:c/jn1mLZNKF3/osJ6mz3QPxTudvPArXTjpkmYj0uK6U=
 github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
 github.com/nrdcg/freemyip v0.2.0 h1:/GscavT4GVqAY13HExl5UyoB4wlchv6Cg5NYDGsUoJ8=
 github.com/nrdcg/freemyip v0.2.0/go.mod h1:HjF0Yz0lSb37HD2ihIyGz9esyGcxbCrrGFLPpKevbx4=
-github.com/nrdcg/goinwx v0.8.2 h1:RmjiHlEA+lzi3toXyPSaE6hWnBQ0+G+1u7w8C6Fpp4g=
+github.com/nrdcg/goinwx v0.10.0 h1:6W630bjDxQD6OuXKqrFRYVpTt0G/9GXXm3CeOrN0zJM=
-github.com/nrdcg/goinwx v0.8.2/go.mod h1:mnMSTi7CXBu2io4DzdOBoGFA1XclD0sEPWJaDhNgkA4=
+github.com/nrdcg/goinwx v0.10.0/go.mod h1:mnMSTi7CXBu2io4DzdOBoGFA1XclD0sEPWJaDhNgkA4=
 github.com/nrdcg/namesilo v0.2.1 h1:kLjCjsufdW/IlC+iSfAqj0iQGgKjlbUUeDJio5Y6eMg=
 github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw=
 github.com/nrdcg/nodion v0.1.0 h1:zLKaqTn2X0aDuBHHfyA1zFgeZfiCpmu/O9DM73okavw=
 github.com/nrdcg/nodion v0.1.0/go.mod h1:inbuh3neCtIWlMPZHtEpe43TmRXxHV6+hk97iCZicms=
-github.com/nrdcg/porkbun v0.2.0 h1:ghaqPtIKcffba99epWFkK3VWf6TKJT9WMXMgaTqv95Y=
+github.com/nrdcg/porkbun v0.3.0 h1:jnRV7j2zd3hmh+tSDOGetJyy3+WklaMxbs7HtTTmWMs=
-github.com/nrdcg/porkbun v0.2.0/go.mod h1:i0uLMn9ItFsLsSQIAeEu1wQ9/+6EvX1eQw15hulMMRw=
+github.com/nrdcg/porkbun v0.3.0/go.mod h1:jh1DKz96jGHW+NCdG3AmTbbnQeBlNUz1KeSgeN/cBVw=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@@ -899,8 +895,8 @@ github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnh
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible h1:x4mcfb4agelf1O4/1/auGlZ1lr97jXRSSN5MxTgG/zU=
 github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
-github.com/ovh/go-ovh v1.4.1 h1:VBGa5wMyQtTP7Zb+w97zRCh9sLtM/2YKRyy+MEJmWaM=
+github.com/ovh/go-ovh v1.4.3 h1:Gs3V823zwTFpzgGLZNI6ILS4rmxZgJwJCz54Er9LwD0=
-github.com/ovh/go-ovh v1.4.1/go.mod h1:6bL6pPyUT7tBfI0pqOegJgRjgjuO+mOo+MyXd1EEC0M=
+github.com/ovh/go-ovh v1.4.3/go.mod h1:AkPXVtgwB6xlKblMjRKJJmjRp+ogrE7fz2lVgcQY8SY=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
@@ -1003,8 +999,8 @@ github.com/sacloud/iaas-api-go v1.11.1/go.mod h1:uBDSa06F/V0OnoR66jGdbH0PVnCJw+N
 github.com/sacloud/packages-go v0.0.9 h1:GbinkBLC/eirFhHpLjoDW6JV7+95Rnd2d8RWj7Afeks=
 github.com/sacloud/packages-go v0.0.9/go.mod h1:k+EEUMF2LlncjbNIJNOqLyZ9wjTESPIWIk1OA7x9j2Q=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.17 h1:1WuWJu7/e8SqK+uQl7lfk/N/oMZTL2NE/TJsNKRNMc4=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.22 h1:wJrcTdddKOI8TFxs8cemnhKP2EmKy3yfUKHj3ZdfzYo=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.17/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.22/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
@@ -1020,8 +1016,6 @@ github.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsB
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/simplesurance/bunny-go v0.0.0-20221115111006-e11d9dc91f04 h1:ZTzdx88+AcnjqUfJwnz89UBrMSBQ1NEysg9u5d+dU9c=
-github.com/simplesurance/bunny-go v0.0.0-20221115111006-e11d9dc91f04/go.mod h1:5KS21fpch8TIMyAUv/qQqTa3GZfBDYgjaZbd2KXKYfg=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -1036,8 +1030,8 @@ github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/gunit v1.0.4 h1:tpTjnuH7MLlqhoD21vRoMZbMIi5GmBsAJDFyF67GhZA=
 github.com/smartystreets/gunit v1.0.4/go.mod h1:EH5qMBab2UclzXUcpR8b93eHsIlp9u+pDQIRp5DZNzQ=
-github.com/softlayer/softlayer-go v1.1.2 h1:rUSSGCyaxymvTOsaFjwr+cGxA8muw3xg2LSrIMNcN/c=
+github.com/softlayer/softlayer-go v1.1.3 h1:dfFzt5eOKIAyB/b78fHMyDu5ICx0ZtxL9NRhBlf831A=
-github.com/softlayer/softlayer-go v1.1.2/go.mod h1:hvAbzGH4LRXA6yXY8BNx99yoqZ7urfDdtl9mvBf0G+g=
+github.com/softlayer/softlayer-go v1.1.3/go.mod h1:Pc7F57OgUKaAam7TtpqkUeqL7QyKknfiUI4R49h41/U=
 github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e h1:3OgWYFw7jxCZPcvAg+4R8A50GZ+CCkARF10lxu2qDsQ=
 github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e/go.mod h1:fKZCUVdirrxrBpwd9wb+lSoVixvpwAu8eHzbQB2tums=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
@@ -1115,8 +1109,8 @@ github.com/traefik/paerser v0.2.0 h1:zqCLGSXoNlcBd+mzqSCLjon/I6phqIjeJL2xFB2ysgQ
 github.com/traefik/paerser v0.2.0/go.mod h1:afzaVcgF8A+MpTnPG4wBr4whjanCSYA6vK5RwaYVtRc=
 github.com/traefik/yaegi v0.15.1 h1:YA5SbaL6HZA0Exh9T/oArRHqGN2HQ+zgmCY7dkoTXu4=
 github.com/traefik/yaegi v0.15.1/go.mod h1:AVRxhaI2G+nUsaM1zyktzwXn69G3t/AuTDrCiTds9p0=
-github.com/transip/gotransip/v6 v6.20.0 h1:AuvwyOZ51f2brzMbTqlRy/wmaM3kF7Vx5Wds8xcDflY=
+github.com/transip/gotransip/v6 v6.23.0 h1:PsTdjortrEZ8IFFifEryzjVjOy9SgK4ahlnhKBBIQgA=
-github.com/transip/gotransip/v6 v6.20.0/go.mod h1:nzv9eN2tdsUrm5nG5ZX6AugYIU4qgsMwIn2c0EZLk8c=
+github.com/transip/gotransip/v6 v6.23.0/go.mod h1:nzv9eN2tdsUrm5nG5ZX6AugYIU4qgsMwIn2c0EZLk8c=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
@@ -1127,8 +1121,8 @@ github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLY
 github.com/ugorji/go/codec v1.2.6/go.mod h1:V6TCNZ4PHqoHGFZuSG1W8nrCzzdgA2DozYxWFFpvxTw=
 github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/ultradns/ultradns-go-sdk v1.5.0-20230427130837-23c9b0c h1:mKnW6IGLw7uXu6DL6RitufZWcXS6hCnauXRUFof7rKM=
+github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a h1:w4PK5/N9kq8PfNxBv8a5t1bqlYRrVT7XzT7iTPTtiPk=
-github.com/ultradns/ultradns-go-sdk v1.5.0-20230427130837-23c9b0c/go.mod h1:F4UyVEmq4/m5lAmx+GccrxyRCXmnBjzUL09JLTQFp94=
+github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a/go.mod h1:Xwz7o+ExFtxR/i0aJDnTXuiccQJlOxDgNe6FsZC4TzQ=
 github.com/unrolled/render v1.0.2 h1:dGS3EmChQP3yOi1YeFNO/Dx+MbWZhdvhQJTXochM5bs=
 github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
 github.com/unrolled/secure v1.0.9 h1:BWRuEb1vDrBFFDdbCnKkof3gZ35I/bnHGyt0LB0TNyQ=
@@ -1253,9 +1247,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1286,8 +1283,9 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1322,20 +1320,22 @@ golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210913180222-943fd674d43e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
+golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1346,8 +1346,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1424,15 +1425,20 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@@ -1443,16 +1449,20 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1487,8 +1497,9 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1598,8 +1609,8 @@ gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ns1/ns1-go.v2 v2.7.6 h1:mCPl7q0jbIGACXvGBljAuuApmKZo3rRi4tlRIEbMvjA=
+gopkg.in/ns1/ns1-go.v2 v2.7.13 h1:r07CLALg18f/L1KIK1ZJdbirBV349UtYT1rDWGjnaTk=
-gopkg.in/ns1/ns1-go.v2 v2.7.6/go.mod h1:GMnKY+ZuoJ+lVLL+78uSTjwTz2jMazq6AfGKQOYhsPk=
+gopkg.in/ns1/ns1-go.v2 v2.7.13/go.mod h1:pfaU0vECVP7DIOr453z03HXS6dFJpXdNRwOyRzwmPSc=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=

integration/access_log_test.go

@@ -61,7 +61,7 @@ func (s *AccessLogSuite) TestAccessLog() {
 	ensureWorkingDirectoryIsClean()
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	defer func() {
 		traefikLog, err := os.ReadFile(traefikTestLogFile)
@@ -130,7 +130,7 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -194,7 +194,7 @@ func (s *AccessLogSuite) TestAccessLogDigestAuthMiddleware() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -304,7 +304,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendRedirect() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -410,7 +410,7 @@ func (s *AccessLogSuite) TestAccessLogRateLimit() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -454,7 +454,7 @@ func (s *AccessLogSuite) TestAccessLogBackendNotFound() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.waitForTraefik("server1")
 
@@ -494,7 +494,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendAllowlist() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -534,7 +534,7 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontendSuccess() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -575,7 +575,7 @@ func (s *AccessLogSuite) TestAccessLogPreflightHeadersMiddleware() {
 	}
 
 	// Start Traefik
-	s.traefikCmd(withConfigFile("fixtures/access_log_config.toml"))
+	s.traefikCmd(withConfigFile("fixtures/access_log/access_log_base.toml"))
 
 	s.checkStatsForLogFile()
 
@@ -603,6 +603,56 @@ func (s *AccessLogSuite) TestAccessLogPreflightHeadersMiddleware() {
 	s.checkNoOtherTraefikProblems()
 }
 
+func (s *AccessLogSuite) TestAccessLogDisabledForInternals() {
+	ensureWorkingDirectoryIsClean()
+
+	file := s.adaptFile("fixtures/access_log/access_log_ping.toml", struct{}{})
+
+	// Start Traefik.
+	s.traefikCmd(withConfigFile(file))
+
+	defer func() {
+		traefikLog, err := os.ReadFile(traefikTestLogFile)
+		require.NoError(s.T(), err)
+		log.Info().Msg(string(traefikLog))
+	}()
+
+	// waitForTraefik makes at least one call to the rawdata api endpoint,
+	// but the logs for this endpoint are ignored in checkAccessLogOutput.
+	s.waitForTraefik("customPing")
+
+	s.checkStatsForLogFile()
+
+	// Verify Traefik started OK.
+	s.checkTraefikStarted()
+
+	// Make some requests on the internal ping router.
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080/ping", nil)
+	require.NoError(s.T(), err)
+
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	require.NoError(s.T(), err)
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	require.NoError(s.T(), err)
+
+	// Make some requests on the custom ping router.
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/ping", nil)
+	require.NoError(s.T(), err)
+
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	require.NoError(s.T(), err)
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	require.NoError(s.T(), err)
+
+	// Verify access.log output as expected.
+	count := s.checkAccessLogOutput()
+
+	require.Equal(s.T(), 0, count)
+
+	// Verify no other Traefik problems.
+	s.checkNoOtherTraefikProblems()
+}
+
 func (s *AccessLogSuite) checkNoOtherTraefikProblems() {
 	traefikLog, err := os.ReadFile(traefikTestLogFile)
 	require.NoError(s.T(), err)
@@ -612,6 +662,8 @@ func (s *AccessLogSuite) checkNoOtherTraefikProblems() {
 }
 
 func (s *AccessLogSuite) checkAccessLogOutput() int {
+	s.T().Helper()
+
 	lines := s.extractLines()
 	count := 0
 	for i, line := range lines {
@@ -624,6 +676,8 @@ func (s *AccessLogSuite) checkAccessLogOutput() int {
 }
 
 func (s *AccessLogSuite) checkAccessLogExactValuesOutput(values []accessLogValue) int {
+	s.T().Helper()
+
 	lines := s.extractLines()
 	count := 0
 	for i, line := range lines {
@@ -641,6 +695,8 @@ func (s *AccessLogSuite) checkAccessLogExactValuesOutput(values []accessLogValue
 }
 
 func (s *AccessLogSuite) extractLines() []string {
+	s.T().Helper()
+
 	accessLog, err := os.ReadFile(traefikTestAccessLogFile)
 	require.NoError(s.T(), err)
 
@@ -656,6 +712,8 @@ func (s *AccessLogSuite) extractLines() []string {
 }
 
 func (s *AccessLogSuite) checkStatsForLogFile() {
+	s.T().Helper()
+
 	err := try.Do(1*time.Second, func() error {
 		if _, errStat := os.Stat(traefikTestLogFile); errStat != nil {
 			return fmt.Errorf("could not get stats for log file: %w", errStat)
@@ -671,6 +729,8 @@ func ensureWorkingDirectoryIsClean() {
 }
 
 func (s *AccessLogSuite) checkTraefikStarted() []byte {
+	s.T().Helper()
+
 	traefikLog, err := os.ReadFile(traefikTestLogFile)
 	require.NoError(s.T(), err)
 	if len(traefikLog) > 0 {
@@ -680,6 +740,8 @@ func (s *AccessLogSuite) checkTraefikStarted() []byte {
 }
 
 func (s *BaseSuite) CheckAccessLogFormat(line string, i int) {
+	s.T().Helper()
+
 	results, err := accesslog.ParseAccessLog(line)
 	require.NoError(s.T(), err)
 	assert.Len(s.T(), results, 14)
@@ -692,6 +754,8 @@ func (s *BaseSuite) CheckAccessLogFormat(line string, i int) {
 }
 
 func (s *AccessLogSuite) checkAccessLogExactValues(line string, i int, v accessLogValue) {
+	s.T().Helper()
+
 	results, err := accesslog.ParseAccessLog(line)
 	require.NoError(s.T(), err)
 	assert.Len(s.T(), results, 14)

integration/fixtures/access_log/access_log_ping.toml

@@ -0,0 +1,30 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "ERROR"
+  filePath = "traefik.log"
+
+[accessLog]
+  filePath = "access.log"
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[api]
+  insecure = true
+
+[ping]
+
+[providers]
+  [providers.file]
+    filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+[http.routers]
+  [http.routers.customPing]
+    entryPoints = ["web"]
+    rule = "PathPrefix(`/ping`)"
+    service = "ping@internal"

integration/fixtures/throttling/simple.toml

@@ -19,5 +19,6 @@
     insecure = true
 
 [metrics]
+  addInternals = true
   [metrics.prometheus]
     buckets = [0.1,0.3,1.2,5.0]

integration/fixtures/tracing/simple-opentelemetry.toml

@@ -9,6 +9,8 @@
 [api]
   insecure = true
 
+[ping]
+
 [entryPoints]
   [entryPoints.web]
     address = ":8000"
@@ -47,6 +49,10 @@
     Service = "service3"
     Middlewares = ["retry", "basic-auth"]
     Rule = "Path(`/auth`)"
+  [http.routers.customPing]
+    entryPoints = ["web"]
+    rule = "PathPrefix(`/ping`)"
+    service = "ping@internal"
 
 [http.middlewares]
   [http.middlewares.retry.retry]

integration/k8s_conformance_test.go

@@ -153,17 +153,16 @@ func (s *K8sConformanceSuite) TestK8sGatewayAPIConformance() {
 			RequiredConsecutiveSuccesses:      0,
 		},
 		SupportedFeatures: sets.New[ksuite.SupportedFeature]().
-			Insert(ksuite.GatewayCoreFeatures.UnsortedList()...),
+			Insert(ksuite.GatewayCoreFeatures.UnsortedList()...).
+			Insert(ksuite.ReferenceGrantCoreFeatures.UnsortedList()...),
 		EnableAllSupportedFeatures: false,
 		RunTest:                    *k8sConformanceRunTest,
 		// Until the feature are all supported, following tests are skipped.
 		SkipTests: []string{
 			"HTTPExactPathMatching",
 			"HTTPRouteHostnameIntersection",
-			"GatewaySecretReferenceGrantAllInNamespace",
 			"HTTPRouteListenerHostnameMatching",
 			"HTTPRouteRequestHeaderModifier",
-			"GatewaySecretInvalidReferenceGrant",
 			"GatewayClassObservedGenerationBump",
 			"HTTPRouteInvalidNonExistentBackendRef",
 			"GatewayWithAttachedRoutes",
@@ -171,14 +170,11 @@ func (s *K8sConformanceSuite) TestK8sGatewayAPIConformance() {
 			"HTTPRouteDisallowedKind",
 			"HTTPRouteInvalidReferenceGrant",
 			"HTTPRouteObservedGenerationBump",
-			"GatewayInvalidRouteKind",
 			"TLSRouteSimpleSameNamespace",
 			"TLSRouteInvalidReferenceGrant",
 			"HTTPRouteInvalidCrossNamespaceParentRef",
 			"HTTPRouteInvalidParentRefNotMatchingSectionName",
-			"GatewaySecretReferenceGrantSpecific",
 			"GatewayModifyListeners",
-			"GatewaySecretMissingReferenceGrant",
 			"GatewayInvalidTLSConfiguration",
 			"HTTPRouteInvalidCrossNamespaceBackendRef",
 			"HTTPRouteMatchingAcrossRoutes",

integration/log_rotation_test.go

@@ -57,7 +57,7 @@ func (s *LogRotationSuite) TearDownSuite() {
 
 func (s *LogRotationSuite) TestAccessLogRotation() {
 	// Start Traefik
-	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/access_log_config.toml"))
+	cmd, _ := s.cmdTraefik(withConfigFile("fixtures/access_log/access_log_base.toml"))
 	defer s.displayTraefikLogFile(traefikTestLogFile)
 
 	// Verify Traefik started ok

integration/simple_test.go

@@ -287,6 +287,10 @@ func (s *SimpleSuite) TestMetricsPrometheusDefaultEntryPoint() {
 
 	err = try.GetRequest("http://127.0.0.1:8080/metrics", 1*time.Second, try.BodyContains("_service_"))
 	require.NoError(s.T(), err)
+
+	// No metrics for internals.
+	err = try.GetRequest("http://127.0.0.1:8080/metrics", 1*time.Second, try.BodyNotContains("router=\"api@internal\"", "service=\"api@internal\""))
+	require.NoError(s.T(), err)
 }
 
 func (s *SimpleSuite) TestMetricsPrometheusTwoRoutersOneService() {

integration/tcp_test.go

@@ -302,7 +302,7 @@ func (s *TCPSuite) TestWRR() {
 		time.Sleep(time.Second)
 	}
 
-	assert.EqualValues(s.T(), call, map[string]int{"whoami-b": 3, "whoami-ab": 1})
+	assert.EqualValues(s.T(), map[string]int{"whoami-b": 3, "whoami-ab": 1}, call)
 }
 
 func welcome(addr string) (string, error) {
@@ -404,7 +404,6 @@ func guessWhoTLSPassthrough(addr, serverName string) (string, error) {
 			return fmt.Errorf("tls: no valid certificate for serverName %s", serverName)
 		},
 	})
-
 	if err != nil {
 		return "", err
 	}

integration/tracing_test.go

@@ -414,6 +414,67 @@ func (s *TracingSuite) TestOpentelemetryAuth() {
 	s.checkTraceContent(contains)
 }
 
+func (s *TracingSuite) TestNoInternals() {
+	file := s.adaptFile("fixtures/tracing/simple-opentelemetry.toml", TracingTemplate{
+		WhoamiIP:   s.whoamiIP,
+		WhoamiPort: s.whoamiPort,
+		IP:         s.otelCollectorIP,
+		IsHTTP:     true,
+	})
+
+	s.traefikCmd(withConfigFile(file))
+
+	// wait for traefik
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", time.Second, try.BodyContains("basic-auth"))
+	require.NoError(s.T(), err)
+
+	err = try.GetRequest("http://127.0.0.1:8000/ratelimit", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	require.NoError(s.T(), err)
+
+	err = try.GetRequest("http://127.0.0.1:8000/ping", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	require.NoError(s.T(), err)
+	err = try.GetRequest("http://127.0.0.1:8080/ping", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	require.NoError(s.T(), err)
+
+	baseURL, err := url.Parse("http://" + s.tempoIP + ":3200/api/search")
+	require.NoError(s.T(), err)
+
+	req := &http.Request{
+		Method: http.MethodGet,
+		URL:    baseURL,
+	}
+	// Wait for traces to be available.
+	time.Sleep(10 * time.Second)
+	resp, err := try.Response(req, 5*time.Second)
+	require.NoError(s.T(), err)
+
+	out := &TraceResponse{}
+	content, err := io.ReadAll(resp.Body)
+	require.NoError(s.T(), err)
+	err = json.Unmarshal(content, &out)
+	require.NoError(s.T(), err)
+
+	s.NotEmptyf(len(out.Traces), "expected at least one trace")
+
+	for _, t := range out.Traces {
+		baseURL, err := url.Parse("http://" + s.tempoIP + ":3200/api/traces/" + t.TraceID)
+		require.NoError(s.T(), err)
+
+		req := &http.Request{
+			Method: http.MethodGet,
+			URL:    baseURL,
+		}
+
+		resp, err := try.Response(req, 5*time.Second)
+		require.NoError(s.T(), err)
+
+		content, err := io.ReadAll(resp.Body)
+		require.NoError(s.T(), err)
+
+		require.NotContains(s.T(), content, "@internal")
+	}
+}
+
 func (s *TracingSuite) checkTraceContent(expectedJSON []map[string]string) {
 	s.T().Helper()
 

integration/udp_test.go

@@ -96,7 +96,7 @@ func (s *UDPSuite) TestWRR() {
 				call["unknown"]++
 			}
 		}
-		assert.EqualValues(s.T(), call, map[string]int{"whoami-a": 3, "whoami-b": 2, "whoami-c": 3})
+		assert.EqualValues(s.T(), map[string]int{"whoami-a": 3, "whoami-b": 2, "whoami-c": 3}, call)
 		close(stop)
 	}()
 

pkg/api/handler.go

@@ -76,7 +76,7 @@ func New(staticConfig static.Configuration, runtimeConfig *runtime.Configuration
 
 // createRouter creates API routes and router.
 func (h Handler) createRouter() *mux.Router {
-	router := mux.NewRouter()
+	router := mux.NewRouter().UseEncodedPath()
 
 	if h.staticConfig.API.Debug {
 		DebugHandler{}.Append(router)

pkg/api/handler_entrypoint.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"sort"
 	"strconv"
 
@@ -49,7 +50,13 @@ func (h Handler) getEntryPoints(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getEntryPoint(rw http.ResponseWriter, request *http.Request) {
-	entryPointID := mux.Vars(request)["entryPointID"]
+	scapedEntryPointID := mux.Vars(request)["entryPointID"]
+
+	entryPointID, err := url.PathUnescape(scapedEntryPointID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode entryPointID %q: %s", scapedEntryPointID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -64,7 +71,7 @@ func (h Handler) getEntryPoint(rw http.ResponseWriter, request *http.Request) {
 		Name:       entryPointID,
 	}
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)

pkg/api/handler_entrypoint_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"strconv"
 	"testing"
@@ -169,6 +170,21 @@ func TestHandler_EntryPoints(t *testing.T) {
 				jsonFile:   "testdata/entrypoint-bar.json",
 			},
 		},
+		{
+			desc: "one entry point by id containing slash",
+			path: "/api/entrypoints/" + url.PathEscape("foo / bar"),
+			conf: static.Configuration{
+				Global: &static.Global{},
+				API:    &static.API{},
+				EntryPoints: map[string]*static.EntryPoint{
+					"foo / bar": {Address: ":81"},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/entrypoint-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one entry point by id, that does not exist",
 			path: "/api/entrypoints/foo",

pkg/api/handler_http.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 
@@ -97,7 +98,13 @@ func (h Handler) getRouters(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getRouter(rw http.ResponseWriter, request *http.Request) {
-	routerID := mux.Vars(request)["routerID"]
+	scapedRouterID := mux.Vars(request)["routerID"]
+
+	routerID, err := url.PathUnescape(scapedRouterID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode routerID %q: %s", scapedRouterID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -109,7 +116,7 @@ func (h Handler) getRouter(rw http.ResponseWriter, request *http.Request) {
 
 	result := newRouterRepresentation(routerID, router)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)
@@ -148,7 +155,13 @@ func (h Handler) getServices(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getService(rw http.ResponseWriter, request *http.Request) {
-	serviceID := mux.Vars(request)["serviceID"]
+	scapedServiceID := mux.Vars(request)["serviceID"]
+
+	serviceID, err := url.PathUnescape(scapedServiceID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode serviceID %q: %s", scapedServiceID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Add("Content-Type", "application/json")
 
@@ -160,7 +173,7 @@ func (h Handler) getService(rw http.ResponseWriter, request *http.Request) {
 
 	result := newServiceRepresentation(serviceID, service)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)
@@ -199,7 +212,13 @@ func (h Handler) getMiddlewares(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getMiddleware(rw http.ResponseWriter, request *http.Request) {
-	middlewareID := mux.Vars(request)["middlewareID"]
+	scapedMiddlewareID := mux.Vars(request)["middlewareID"]
+
+	middlewareID, err := url.PathUnescape(scapedMiddlewareID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode middlewareID %q: %s", scapedMiddlewareID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -211,7 +230,7 @@ func (h Handler) getMiddleware(rw http.ResponseWriter, request *http.Request) {
 
 	result := newMiddlewareRepresentation(middlewareID, middleware)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)

pkg/api/handler_http_test.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"strconv"
 	"testing"
@@ -301,6 +302,27 @@ func TestHandler_HTTP(t *testing.T) {
 				jsonFile:   "testdata/router-bar.json",
 			},
 		},
+		{
+			desc: "one router by id containing slash",
+			path: "/api/http/routers/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				Routers: map[string]*runtime.RouterInfo{
+					"foo / bar@myprovider": {
+						Router: &dynamic.Router{
+							EntryPoints: []string{"web"},
+							Service:     "foo-service@myprovider",
+							Rule:        "Host(`foo.bar`)",
+							Middlewares: []string{"auth", "addPrefixTest@anotherprovider"},
+						},
+						Status: "enabled",
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/router-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one router by id, implicitly using default TLS options",
 			path: "/api/http/routers/baz@myprovider",
@@ -661,6 +683,35 @@ func TestHandler_HTTP(t *testing.T) {
 				jsonFile:   "testdata/service-bar.json",
 			},
 		},
+		{
+			desc: "one service by id containing slash",
+			path: "/api/http/services/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				Services: map[string]*runtime.ServiceInfo{
+					"foo / bar@myprovider": func() *runtime.ServiceInfo {
+						si := &runtime.ServiceInfo{
+							Service: &dynamic.Service{
+								LoadBalancer: &dynamic.ServersLoadBalancer{
+									PassHostHeader: Bool(true),
+									Servers: []dynamic.Server{
+										{
+											URL: "http://127.0.0.1",
+										},
+									},
+								},
+							},
+							UsedBy: []string{"foo@myprovider", "test@myprovider"},
+						}
+						si.UpdateServerStatus("http://127.0.0.1", "UP")
+						return si
+					}(),
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/service-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one service by id, that does not exist",
 			path: "/api/http/services/nono@myprovider",
@@ -897,6 +948,26 @@ func TestHandler_HTTP(t *testing.T) {
 				jsonFile:   "testdata/middleware-auth.json",
 			},
 		},
+		{
+			desc: "one middleware by id containing slash",
+			path: "/api/http/middlewares/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				Middlewares: map[string]*runtime.MiddlewareInfo{
+					"foo / bar@myprovider": {
+						Middleware: &dynamic.Middleware{
+							AddPrefix: &dynamic.AddPrefix{
+								Prefix: "/titi",
+							},
+						},
+						UsedBy: []string{"test@myprovider"},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/middleware-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one middleware by id, that does not exist",
 			path: "/api/http/middlewares/foo@myprovider",

pkg/api/handler_tcp.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 
@@ -90,7 +91,13 @@ func (h Handler) getTCPRouters(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getTCPRouter(rw http.ResponseWriter, request *http.Request) {
-	routerID := mux.Vars(request)["routerID"]
+	scapedRouterID := mux.Vars(request)["routerID"]
+
+	routerID, err := url.PathUnescape(scapedRouterID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode routerID %q: %s", scapedRouterID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -102,7 +109,7 @@ func (h Handler) getTCPRouter(rw http.ResponseWriter, request *http.Request) {
 
 	result := newTCPRouterRepresentation(routerID, router)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)
@@ -141,7 +148,13 @@ func (h Handler) getTCPServices(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getTCPService(rw http.ResponseWriter, request *http.Request) {
-	serviceID := mux.Vars(request)["serviceID"]
+	scapedServiceID := mux.Vars(request)["serviceID"]
+
+	serviceID, err := url.PathUnescape(scapedServiceID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode serviceID %q: %s", scapedServiceID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -153,7 +166,7 @@ func (h Handler) getTCPService(rw http.ResponseWriter, request *http.Request) {
 
 	result := newTCPServiceRepresentation(serviceID, service)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)
@@ -192,7 +205,13 @@ func (h Handler) getTCPMiddlewares(rw http.ResponseWriter, request *http.Request
 }
 
 func (h Handler) getTCPMiddleware(rw http.ResponseWriter, request *http.Request) {
-	middlewareID := mux.Vars(request)["middlewareID"]
+	scapedMiddlewareID := mux.Vars(request)["middlewareID"]
+
+	middlewareID, err := url.PathUnescape(scapedMiddlewareID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode middlewareID %q: %s", scapedMiddlewareID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -204,7 +223,7 @@ func (h Handler) getTCPMiddleware(rw http.ResponseWriter, request *http.Request)
 
 	result := newTCPMiddlewareRepresentation(middlewareID, middleware)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)

pkg/api/handler_tcp_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"testing"
 
@@ -295,6 +296,25 @@ func TestHandler_TCP(t *testing.T) {
 				jsonFile:   "testdata/tcprouter-bar.json",
 			},
 		},
+		{
+			desc: "one TCP router by id containing slash",
+			path: "/api/tcp/routers/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				TCPRouters: map[string]*runtime.TCPRouterInfo{
+					"foo / bar@myprovider": {
+						TCPRouter: &dynamic.TCPRouter{
+							EntryPoints: []string{"web"},
+							Service:     "foo-service@myprovider",
+							Rule:        "Host(`foo.bar`)",
+						},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/tcprouter-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one TCP router by id, that does not exist",
 			path: "/api/tcp/routers/foo@myprovider",
@@ -559,6 +579,30 @@ func TestHandler_TCP(t *testing.T) {
 				jsonFile:   "testdata/tcpservice-bar.json",
 			},
 		},
+		{
+			desc: "one tcp service by id containing slash",
+			path: "/api/tcp/services/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				TCPServices: map[string]*runtime.TCPServiceInfo{
+					"foo / bar@myprovider": {
+						TCPService: &dynamic.TCPService{
+							LoadBalancer: &dynamic.TCPServersLoadBalancer{
+								Servers: []dynamic.TCPServer{
+									{
+										Address: "127.0.0.1:2345",
+									},
+								},
+							},
+						},
+						UsedBy: []string{"foo@myprovider", "test@myprovider"},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/tcpservice-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one tcp service by id, that does not exist",
 			path: "/api/tcp/services/nono@myprovider",
@@ -780,6 +824,26 @@ func TestHandler_TCP(t *testing.T) {
 				jsonFile:   "testdata/tcpmiddleware-ipallowlist.json",
 			},
 		},
+		{
+			desc: "one middleware by id containing slash",
+			path: "/api/tcp/middlewares/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				TCPMiddlewares: map[string]*runtime.TCPMiddlewareInfo{
+					"foo / bar@myprovider": {
+						TCPMiddleware: &dynamic.TCPMiddleware{
+							IPWhiteList: &dynamic.TCPIPWhiteList{
+								SourceRange: []string{"127.0.0.1/32"},
+							},
+						},
+						UsedBy: []string{"bar@myprovider", "test@myprovider"},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/tcpmiddleware-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one middleware by id, that does not exist",
 			path: "/api/tcp/middlewares/foo@myprovider",

pkg/api/handler_udp.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 
@@ -74,7 +75,13 @@ func (h Handler) getUDPRouters(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getUDPRouter(rw http.ResponseWriter, request *http.Request) {
-	routerID := mux.Vars(request)["routerID"]
+	scapedRouterID := mux.Vars(request)["routerID"]
+
+	routerID, err := url.PathUnescape(scapedRouterID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode routerID %q: %s", scapedRouterID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -86,7 +93,7 @@ func (h Handler) getUDPRouter(rw http.ResponseWriter, request *http.Request) {
 
 	result := newUDPRouterRepresentation(routerID, router)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)
@@ -125,7 +132,13 @@ func (h Handler) getUDPServices(rw http.ResponseWriter, request *http.Request) {
 }
 
 func (h Handler) getUDPService(rw http.ResponseWriter, request *http.Request) {
-	serviceID := mux.Vars(request)["serviceID"]
+	scapedServiceID := mux.Vars(request)["serviceID"]
+
+	serviceID, err := url.PathUnescape(scapedServiceID)
+	if err != nil {
+		writeError(rw, fmt.Sprintf("unable to decode serviceID %q: %s", scapedServiceID, err), http.StatusBadRequest)
+		return
+	}
 
 	rw.Header().Set("Content-Type", "application/json")
 
@@ -137,7 +150,7 @@ func (h Handler) getUDPService(rw http.ResponseWriter, request *http.Request) {
 
 	result := newUDPServiceRepresentation(serviceID, service)
 
-	err := json.NewEncoder(rw).Encode(result)
+	err = json.NewEncoder(rw).Encode(result)
 	if err != nil {
 		log.Ctx(request.Context()).Error().Err(err).Send()
 		writeError(rw, err.Error(), http.StatusInternalServerError)

pkg/api/handler_udp_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"testing"
 
@@ -224,6 +225,24 @@ func TestHandler_UDP(t *testing.T) {
 				jsonFile:   "testdata/udprouter-bar.json",
 			},
 		},
+		{
+			desc: "one UDP router by id containing slash",
+			path: "/api/udp/routers/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				UDPRouters: map[string]*runtime.UDPRouterInfo{
+					"foo / bar@myprovider": {
+						UDPRouter: &dynamic.UDPRouter{
+							EntryPoints: []string{"web"},
+							Service:     "foo-service@myprovider",
+						},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/udprouter-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one UDP router by id, that does not exist",
 			path: "/api/udp/routers/foo@myprovider",
@@ -487,6 +506,30 @@ func TestHandler_UDP(t *testing.T) {
 				jsonFile:   "testdata/udpservice-bar.json",
 			},
 		},
+		{
+			desc: "one udp service by id containing slash",
+			path: "/api/udp/services/" + url.PathEscape("foo / bar@myprovider"),
+			conf: runtime.Configuration{
+				UDPServices: map[string]*runtime.UDPServiceInfo{
+					"foo / bar@myprovider": {
+						UDPService: &dynamic.UDPService{
+							LoadBalancer: &dynamic.UDPServersLoadBalancer{
+								Servers: []dynamic.UDPServer{
+									{
+										Address: "127.0.0.1:2345",
+									},
+								},
+							},
+						},
+						UsedBy: []string{"foo@myprovider", "test@myprovider"},
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/udpservice-foo-slash-bar.json",
+			},
+		},
 		{
 			desc: "one udp service by id, that does not exist",
 			path: "/api/udp/services/nono@myprovider",

pkg/api/testdata/entrypoint-foo-slash-bar.json

@@ -0,0 +1,5 @@
+{
+	"address": ":81",
+	"http": {},
+	"name": "foo / bar"
+}

pkg/api/testdata/middleware-foo-slash-bar.json

@@ -0,0 +1,12 @@
+{
+  "addPrefix": {
+    "prefix": "/titi"
+  },
+  "name": "foo / bar@myprovider",
+  "provider": "myprovider",
+  "status": "enabled",
+  "type": "addprefix",
+  "usedBy": [
+    "test@myprovider"
+  ]
+}

pkg/api/testdata/router-foo-slash-bar.json

@@ -0,0 +1,17 @@
+{
+	"entryPoints": [
+		"web"
+	],
+	"middlewares": [
+		"auth",
+		"addPrefixTest@anotherprovider"
+	],
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"rule": "Host(`foo.bar`)",
+	"service": "foo-service@myprovider",
+	"status": "enabled",
+	"using": [
+		"web"
+	]
+}

pkg/api/testdata/service-foo-slash-bar.json

@@ -0,0 +1,21 @@
+{
+	"loadBalancer": {
+		"passHostHeader": true,
+		"servers": [
+			{
+				"url": "http://127.0.0.1"
+			}
+		]
+	},
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"serverStatus": {
+		"http://127.0.0.1": "UP"
+	},
+	"status": "enabled",
+	"type": "loadbalancer",
+	"usedBy": [
+		"foo@myprovider",
+		"test@myprovider"
+	]
+}

pkg/api/testdata/tcpmiddleware-foo-slash-bar.json

@@ -0,0 +1,13 @@
+{
+	"ipWhiteList": {
+		"sourceRange": ["127.0.0.1/32"]
+	},
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"status": "enabled",
+	"type": "ipwhitelist",
+	"usedBy": [
+		"bar@myprovider",
+		"test@myprovider"
+	]
+}

pkg/api/testdata/tcprouter-foo-slash-bar.json

@@ -0,0 +1,13 @@
+{
+	"entryPoints": [
+		"web"
+	],
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"rule": "Host(`foo.bar`)",
+	"service": "foo-service@myprovider",
+	"status": "enabled",
+	"using": [
+		"web"
+	]
+}

pkg/api/testdata/tcpservice-foo-slash-bar.json

@@ -0,0 +1,17 @@
+{
+	"loadBalancer": {
+		"servers": [
+			{
+				"address": "127.0.0.1:2345"
+			}
+		]
+	},
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"status": "enabled",
+	"type": "loadbalancer",
+	"usedBy": [
+		"foo@myprovider",
+		"test@myprovider"
+	]
+}

pkg/api/testdata/udprouter-foo-slash-bar.json

@@ -0,0 +1,12 @@
+{
+	"entryPoints": [
+		"web"
+	],
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"service": "foo-service@myprovider",
+	"status": "enabled",
+	"using": [
+		"web"
+	]
+}

pkg/api/testdata/udpservice-foo-slash-bar.json

@@ -0,0 +1,17 @@
+{
+	"loadBalancer": {
+		"servers": [
+			{
+				"address": "127.0.0.1:2345"
+			}
+		]
+	},
+	"name": "foo / bar@myprovider",
+	"provider": "myprovider",
+	"status": "enabled",
+	"type": "loadbalancer",
+	"usedBy": [
+		"foo@myprovider",
+		"test@myprovider"
+	]
+}

pkg/collector/collector.go

@@ -20,8 +20,6 @@ import (
 const collectorURL = "https://collect.traefik.io/yYaUej3P42cziRVzv6T5w2aYy9po2Mrn"
 
 // Collected data.
-//
-//nolint:musttag // cannot be changed for historical reasons.
 type data struct {
 	Version       string
 	Codename      string
@@ -67,7 +65,7 @@ func createBody(staticConfiguration *static.Configuration) (*bytes.Buffer, error
 	}
 
 	buf := new(bytes.Buffer)
-	err = json.NewEncoder(buf).Encode(data)
+	err = json.NewEncoder(buf).Encode(data) //nolint:musttag // cannot be changed for historical reasons.
 	if err != nil {
 		return nil, err
 	}

pkg/config/dynamic/middlewares.go

@@ -1,11 +1,11 @@
 package dynamic
 
 import (
+	"net/http"
 	"time"
 
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v3/pkg/ip"
-	"github.com/traefik/traefik/v3/pkg/types"
 )
 
 // +k8s:deepcopy-gen=true
@@ -54,9 +54,13 @@ type GrpcWeb struct {
 // +k8s:deepcopy-gen=true
 
 // ContentType holds the content-type middleware configuration.
-// This middleware sets the `Content-Type` header value to the media type detected from the response content,
+// This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
-// when it is not set by the backend.
+type ContentType struct {
-type ContentType struct{}
+	// AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
+	// be automatically set to a value derived from the contents of the response.
+	// Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
+	AutoDetect *bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty" export:"true"`
+}
 
 // +k8s:deepcopy-gen=true
 
@@ -141,6 +145,8 @@ type CircuitBreaker struct {
 	FallbackDuration ptypes.Duration `json:"fallbackDuration,omitempty" toml:"fallbackDuration,omitempty" yaml:"fallbackDuration,omitempty" export:"true"`
 	// RecoveryDuration is the duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
 	RecoveryDuration ptypes.Duration `json:"recoveryDuration,omitempty" toml:"recoveryDuration,omitempty" yaml:"recoveryDuration,omitempty" export:"true"`
+	// ResponseCode is the status code that the circuit breaker will return while it is in the open state.
+	ResponseCode int `json:"responseCode,omitempty" toml:"responseCode,omitempty" yaml:"responseCode,omitempty" export:"true"`
 }
 
 // SetDefaults sets the default values on a RateLimit.
@@ -148,6 +154,7 @@ func (c *CircuitBreaker) SetDefaults() {
 	c.CheckPeriod = ptypes.Duration(100 * time.Millisecond)
 	c.FallbackDuration = ptypes.Duration(10 * time.Second)
 	c.RecoveryDuration = ptypes.Duration(10 * time.Second)
+	c.ResponseCode = http.StatusServiceUnavailable
 }
 
 // +k8s:deepcopy-gen=true
@@ -214,7 +221,7 @@ type ForwardAuth struct {
 	// Address defines the authentication server address.
 	Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
 	// TLS defines the configuration used to secure the connection to the authentication server.
-	TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
+	TLS *ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 	// TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
 	TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"`
 	// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
@@ -231,6 +238,20 @@ type ForwardAuth struct {
 
 // +k8s:deepcopy-gen=true
 
+// ClientTLS holds TLS specific configurations as client
+// CA, Cert and Key can be either path or file contents.
+// TODO: remove this struct when CAOptional option will be removed.
+type ClientTLS struct {
+	CA                 string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
+	Cert               string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
+	Key                string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
+	InsecureSkipVerify bool   `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
+	// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
+	CAOptional *bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
+}
+
+// +k8s:deepcopy-gen=true
+
 // Headers holds the headers middleware configuration.
 // This middleware manages the requests and responses headers.
 // More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders
@@ -299,6 +320,17 @@ type Headers struct {
 	// If you would like your development environment to mimic production with complete Host blocking, SSL redirects,
 	// and STS headers, leave this as false.
 	IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
+
+	// Deprecated: FeaturePolicy option is deprecated, please use PermissionsPolicy instead.
+	FeaturePolicy *string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
+	// Deprecated: SSLRedirect option is deprecated, please use EntryPoint redirection or RedirectScheme instead.
+	SSLRedirect *bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"`
+	// Deprecated: SSLTemporaryRedirect option is deprecated, please use EntryPoint redirection or RedirectScheme instead.
+	SSLTemporaryRedirect *bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"`
+	// Deprecated: SSLHost option is deprecated, please use RedirectRegex instead.
+	SSLHost *string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
+	// Deprecated: SSLForceHost option is deprecated, please use RedirectRegex instead.
+	SSLForceHost *bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
 }
 
 // HasCustomHeadersDefined checks to see if any of the custom header elements have been set.
@@ -323,6 +355,10 @@ func (h *Headers) HasCorsHeadersDefined() bool {
 func (h *Headers) HasSecureHeadersDefined() bool {
 	return h != nil && (len(h.AllowedHosts) != 0 ||
 		len(h.HostsProxyHeaders) != 0 ||
+		(h.SSLRedirect != nil && *h.SSLRedirect) ||
+		(h.SSLTemporaryRedirect != nil && *h.SSLTemporaryRedirect) ||
+		(h.SSLForceHost != nil && *h.SSLForceHost) ||
+		(h.SSLHost != nil && *h.SSLHost != "") ||
 		len(h.SSLProxyHeaders) != 0 ||
 		h.STSSeconds != 0 ||
 		h.STSIncludeSubdomains ||
@@ -336,6 +372,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 		h.ContentSecurityPolicy != "" ||
 		h.PublicKey != "" ||
 		h.ReferrerPolicy != "" ||
+		(h.FeaturePolicy != nil && *h.FeaturePolicy != "") ||
 		h.PermissionsPolicy != "" ||
 		h.IsDevelopment)
 }
@@ -553,6 +590,11 @@ type Retry struct {
 type StripPrefix struct {
 	// Prefixes defines the prefixes to strip from the request URL.
 	Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
+
+	// Deprecated: ForceSlash option is deprecated, please remove any usage of this option.
+	// ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
+	// Default: true.
+	ForceSlash *bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/config/dynamic/tcp_config.go

@@ -86,6 +86,14 @@ type TCPServersLoadBalancer struct {
 	ProxyProtocol    *ProxyProtocol `json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 	Servers          []TCPServer    `json:"servers,omitempty" toml:"servers,omitempty" yaml:"servers,omitempty" label-slice-as-struct:"server" export:"true"`
 	ServersTransport string         `json:"serversTransport,omitempty" toml:"serversTransport,omitempty" yaml:"serversTransport,omitempty" export:"true"`
+
+	// TerminationDelay, corresponds to the deadline that the proxy sets, after one
+	// of its connected peers indicates it has closed the writing capability of its
+	// connection, to close the reading capability as well, hence fully terminating the
+	// connection. It is a duration in milliseconds, defaulting to 100. A negative value
+	// means an infinite deadline (i.e. the reading capability is never closed).
+	// Deprecated: use ServersTransport to configure the TerminationDelay instead.
+	TerminationDelay *int `json:"terminationDelay,omitempty" toml:"terminationDelay,omitempty" yaml:"terminationDelay,omitempty" export:"true"`
 }
 
 // Mergeable tells if the given service is mergeable.

pkg/config/dynamic/zz_generated.deepcopy.go

@@ -124,6 +124,27 @@ func (in *CircuitBreaker) DeepCopy() *CircuitBreaker {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClientTLS) DeepCopyInto(out *ClientTLS) {
+	*out = *in
+	if in.CAOptional != nil {
+		in, out := &in.CAOptional, &out.CAOptional
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTLS.
+func (in *ClientTLS) DeepCopy() *ClientTLS {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Compress) DeepCopyInto(out *Compress) {
 	*out = *in
@@ -219,6 +240,11 @@ func (in Configurations) DeepCopy() Configurations {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentType) DeepCopyInto(out *ContentType) {
 	*out = *in
+	if in.AutoDetect != nil {
+		in, out := &in.AutoDetect, &out.AutoDetect
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
@@ -316,8 +342,8 @@ func (in *ForwardAuth) DeepCopyInto(out *ForwardAuth) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
-		*out = new(types.ClientTLS)
+		*out = new(ClientTLS)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.AuthResponseHeaders != nil {
 		in, out := &in.AuthResponseHeaders, &out.AuthResponseHeaders
@@ -534,6 +560,31 @@ func (in *Headers) DeepCopyInto(out *Headers) {
 			(*out)[key] = val
 		}
 	}
+	if in.FeaturePolicy != nil {
+		in, out := &in.FeaturePolicy, &out.FeaturePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLRedirect != nil {
+		in, out := &in.SSLRedirect, &out.SSLRedirect
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SSLTemporaryRedirect != nil {
+		in, out := &in.SSLTemporaryRedirect, &out.SSLTemporaryRedirect
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SSLHost != nil {
+		in, out := &in.SSLHost, &out.SSLHost
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLForceHost != nil {
+		in, out := &in.SSLForceHost, &out.SSLForceHost
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
@@ -794,7 +845,7 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
 	if in.ContentType != nil {
 		in, out := &in.ContentType, &out.ContentType
 		*out = new(ContentType)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.GrpcWeb != nil {
 		in, out := &in.GrpcWeb, &out.GrpcWeb
@@ -1362,6 +1413,11 @@ func (in *StripPrefix) DeepCopyInto(out *StripPrefix) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.ForceSlash != nil {
+		in, out := &in.ForceSlash, &out.ForceSlash
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
@@ -1652,6 +1708,11 @@ func (in *TCPServersLoadBalancer) DeepCopyInto(out *TCPServersLoadBalancer) {
 		*out = make([]TCPServer, len(*in))
 		copy(*out, *in)
 	}
+	if in.TerminationDelay != nil {
+		in, out := &in.TerminationDelay, &out.TerminationDelay
+		*out = new(int)
+		**out = **in
+	}
 	return
 }
 

pkg/config/label/label_test.go

@@ -9,9 +9,11 @@ import (
 	"github.com/stretchr/testify/require"
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"
-	"github.com/traefik/traefik/v3/pkg/types"
 )
 
+func Bool(v bool) *bool       { return &v }
+func String(v string) *string { return &v }
+
 func TestDecodeConfiguration(t *testing.T) {
 	labels := map[string]string{
 		"traefik.http.middlewares.Middleware0.addprefix.prefix":                                    "foobar",
@@ -30,6 +32,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware4.circuitbreaker.checkperiod":                          "1s",
 		"traefik.HTTP.Middlewares.Middleware4.circuitbreaker.fallbackduration":                     "1s",
 		"traefik.HTTP.Middlewares.Middleware4.circuitbreaker.recoveryduration":                     "1s",
+		"traefik.HTTP.Middlewares.Middleware4.circuitbreaker.responsecode":                         "403",
 		"traefik.http.middlewares.Middleware5.digestauth.headerfield":                              "foobar",
 		"traefik.http.middlewares.Middleware5.digestauth.realm":                                    "foobar",
 		"traefik.http.middlewares.Middleware5.digestauth.removeheader":                             "true",
@@ -42,6 +45,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware7.forwardauth.authresponseheaders":                     "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.authrequestheaders":                      "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.ca":                                  "foobar",
+		"traefik.http.middlewares.Middleware7.forwardauth.tls.caoptional":                          "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.cert":                                "foobar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify":                  "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.key":                                 "foobar",
@@ -70,9 +74,14 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware8.headers.isdevelopment":                               "true",
 		"traefik.http.middlewares.Middleware8.headers.publickey":                                   "foobar",
 		"traefik.http.middlewares.Middleware8.headers.referrerpolicy":                              "foobar",
+		"traefik.http.middlewares.Middleware8.headers.featurepolicy":                               "foobar",
 		"traefik.http.middlewares.Middleware8.headers.permissionspolicy":                           "foobar",
+		"traefik.http.middlewares.Middleware8.headers.sslforcehost":                                "true",
+		"traefik.http.middlewares.Middleware8.headers.sslhost":                                     "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0":                       "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name1":                       "foobar",
+		"traefik.http.middlewares.Middleware8.headers.sslredirect":                                 "true",
+		"traefik.http.middlewares.Middleware8.headers.ssltemporaryredirect":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stspreload":                                  "true",
 		"traefik.http.middlewares.Middleware8.headers.stsseconds":                                  "42",
@@ -123,6 +132,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware16.retry.attempts":                                     "42",
 		"traefik.http.middlewares.Middleware16.retry.initialinterval":                              "1s",
 		"traefik.http.middlewares.Middleware17.stripprefix.prefixes":                               "foobar, fiibar",
+		"traefik.http.middlewares.Middleware17.stripprefix.forceslash":                             "true",
 		"traefik.http.middlewares.Middleware18.stripprefixregex.regex":                             "foobar, fiibar",
 		"traefik.http.middlewares.Middleware19.compress.minresponsebodybytes":                      "42",
 		"traefik.http.middlewares.Middleware20.plugin.tomato.aaa":                                  "foo1",
@@ -193,9 +203,11 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.tcp.routers.Router1.tls.options":                          "foo",
 		"traefik.tcp.routers.Router1.tls.passthrough":                      "false",
 		"traefik.tcp.services.Service0.loadbalancer.server.Port":           "42",
+		"traefik.tcp.services.Service0.loadbalancer.TerminationDelay":      "42",
 		"traefik.tcp.services.Service0.loadbalancer.proxyProtocol.version": "42",
 		"traefik.tcp.services.Service0.loadbalancer.serversTransport":      "foo",
 		"traefik.tcp.services.Service1.loadbalancer.server.Port":           "42",
+		"traefik.tcp.services.Service1.loadbalancer.TerminationDelay":      "42",
 		"traefik.tcp.services.Service1.loadbalancer.proxyProtocol":         "true",
 		"traefik.tcp.services.Service1.loadbalancer.serversTransport":      "foo",
 
@@ -260,6 +272,7 @@ func TestDecodeConfiguration(t *testing.T) {
 								Port: "42",
 							},
 						},
+						TerminationDelay: func(i int) *int { return &i }(42),
 						ProxyProtocol:    &dynamic.ProxyProtocol{Version: 42},
 						ServersTransport: "foo",
 					},
@@ -271,6 +284,7 @@ func TestDecodeConfiguration(t *testing.T) {
 								Port: "42",
 							},
 						},
+						TerminationDelay: func(i int) *int { return &i }(42),
 						ProxyProtocol:    &dynamic.ProxyProtocol{Version: 2},
 						ServersTransport: "foo",
 					},
@@ -458,6 +472,7 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
+						ForceSlash: Bool(true),
 					},
 				},
 				"Middleware18": {
@@ -496,6 +511,7 @@ func TestDecodeConfiguration(t *testing.T) {
 						CheckPeriod:      ptypes.Duration(time.Second),
 						FallbackDuration: ptypes.Duration(time.Second),
 						RecoveryDuration: ptypes.Duration(time.Second),
+						ResponseCode:     403,
 					},
 				},
 				"Middleware5": {
@@ -523,11 +539,12 @@ func TestDecodeConfiguration(t *testing.T) {
 				"Middleware7": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &types.ClientTLS{
+						TLS: &dynamic.ClientTLS{
 							CA:                 "foobar",
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
+							CAOptional:         Bool(true),
 						},
 						TrustForwardHeader: true,
 						AuthResponseHeaders: []string{
@@ -581,10 +598,14 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
+						SSLRedirect:          Bool(true),
+						SSLTemporaryRedirect: Bool(true),
+						SSLHost:              String("foobar"),
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
+						SSLForceHost:            Bool(true),
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@@ -597,6 +618,7 @@ func TestDecodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
+						FeaturePolicy:           String("foobar"),
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@@ -756,6 +778,7 @@ func TestEncodeConfiguration(t *testing.T) {
 							},
 						},
 						ServersTransport: "foo",
+						TerminationDelay: func(i int) *int { return &i }(42),
 					},
 				},
 				"Service1": {
@@ -766,6 +789,7 @@ func TestEncodeConfiguration(t *testing.T) {
 							},
 						},
 						ServersTransport: "foo",
+						TerminationDelay: func(i int) *int { return &i }(42),
 					},
 				},
 			},
@@ -950,6 +974,7 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
+						ForceSlash: Bool(true),
 					},
 				},
 				"Middleware18": {
@@ -996,6 +1021,7 @@ func TestEncodeConfiguration(t *testing.T) {
 						CheckPeriod:      ptypes.Duration(time.Second),
 						FallbackDuration: ptypes.Duration(time.Second),
 						RecoveryDuration: ptypes.Duration(time.Second),
+						ResponseCode:     404,
 					},
 				},
 				"Middleware5": {
@@ -1023,11 +1049,12 @@ func TestEncodeConfiguration(t *testing.T) {
 				"Middleware7": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &types.ClientTLS{
+						TLS: &dynamic.ClientTLS{
 							CA:                 "foobar",
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
+							CAOptional:         Bool(true),
 						},
 						TrustForwardHeader: true,
 						AuthResponseHeaders: []string{
@@ -1081,10 +1108,14 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
+						SSLRedirect:          Bool(true),
+						SSLTemporaryRedirect: Bool(true),
+						SSLHost:              String("foobar"),
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
+						SSLForceHost:            Bool(true),
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@@ -1097,6 +1128,7 @@ func TestEncodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
+						FeaturePolicy:           String("foobar"),
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@@ -1206,6 +1238,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.CheckPeriod":                          "1000000000",
 		"traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.FallbackDuration":                     "1000000000",
 		"traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.RecoveryDuration":                     "1000000000",
+		"traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.ResponseCode":                         "404",
 		"traefik.HTTP.Middlewares.Middleware5.DigestAuth.HeaderField":                              "foobar",
 		"traefik.HTTP.Middlewares.Middleware5.DigestAuth.Realm":                                    "foobar",
 		"traefik.HTTP.Middlewares.Middleware5.DigestAuth.RemoveHeader":                             "true",
@@ -1218,6 +1251,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders":                     "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthRequestHeaders":                      "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA":                                  "foobar",
+		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional":                          "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert":                                "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify":                  "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key":                                 "foobar",
@@ -1246,9 +1280,14 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment":                               "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey":                                   "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy":                              "foobar",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy":                               "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PermissionsPolicy":                           "foobar",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost":                                "true",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost":                                     "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0":                       "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1":                       "foobar",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect":                                 "true",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload":                                  "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds":                                  "42",
@@ -1300,6 +1339,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware16.Retry.Attempts":                                     "42",
 		"traefik.HTTP.Middlewares.Middleware16.Retry.InitialInterval":                              "1000000000",
 		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes":                               "foobar, fiibar",
+		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.ForceSlash":                             "true",
 		"traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex":                             "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware19.Compress.MinResponseBodyBytes":                      "42",
 		"traefik.HTTP.Middlewares.Middleware20.Plugin.tomato.aaa":                                  "foo1",
@@ -1369,9 +1409,11 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.TCP.Services.Service0.LoadBalancer.server.Port":      "42",
 		"traefik.TCP.Services.Service0.LoadBalancer.server.TLS":       "false",
 		"traefik.TCP.Services.Service0.LoadBalancer.ServersTransport": "foo",
+		"traefik.TCP.Services.Service0.LoadBalancer.TerminationDelay": "42",
 		"traefik.TCP.Services.Service1.LoadBalancer.server.Port":      "42",
 		"traefik.TCP.Services.Service1.LoadBalancer.server.TLS":       "false",
 		"traefik.TCP.Services.Service1.LoadBalancer.ServersTransport": "foo",
+		"traefik.TCP.Services.Service1.LoadBalancer.TerminationDelay": "42",
 
 		"traefik.UDP.Routers.Router0.EntryPoints":                "foobar, fiibar",
 		"traefik.UDP.Routers.Router0.Service":                    "foobar",

pkg/config/runtime/runtime_http.go

@@ -2,6 +2,7 @@ package runtime
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"slices"
 	"sort"
@@ -43,7 +44,7 @@ func (c *Configuration) GetRoutersByEntryPoints(ctx context.Context, entryPoints
 		}
 
 		if entryPointsCount == 0 {
-			rt.AddError(fmt.Errorf("no valid entryPoint for this router"), true)
+			rt.AddError(errors.New("no valid entryPoint for this router"), true)
 			logger.Error().Msg("No valid entryPoint for this router")
 		}
 

pkg/config/runtime/runtime_tcp.go

@@ -2,6 +2,7 @@ package runtime
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"slices"
 
@@ -37,7 +38,7 @@ func (c *Configuration) GetTCPRoutersByEntryPoints(ctx context.Context, entryPoi
 		}
 
 		if entryPointsCount == 0 {
-			rt.AddError(fmt.Errorf("no valid entryPoint for this router"), true)
+			rt.AddError(errors.New("no valid entryPoint for this router"), true)
 			logger.Error().Msg("No valid entryPoint for this router")
 		}
 	}

pkg/config/runtime/runtime_udp.go

@@ -2,6 +2,7 @@ package runtime
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"slices"
 
@@ -43,7 +44,7 @@ func (c *Configuration) GetUDPRoutersByEntryPoints(ctx context.Context, entryPoi
 		}
 
 		if entryPointsCount == 0 {
-			rt.AddError(fmt.Errorf("no valid entryPoint for this router"), true)
+			rt.AddError(errors.New("no valid entryPoint for this router"), true)
 			logger.Error().Msg("No valid entryPoint for this router")
 		}
 	}

pkg/config/static/entrypoints.go

@@ -12,6 +12,7 @@ import (
 // EntryPoint holds the entry point configuration.
 type EntryPoint struct {
 	Address          string                `description:"Entry point address." json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
+	ReusePort        bool                  `description:"Enables EntryPoints from the same or different processes listening on the same TCP/UDP port." json:"reusePort,omitempty" toml:"reusePort,omitempty" yaml:"reusePort,omitempty"`
 	AsDefault        bool                  `description:"Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined." json:"asDefault,omitempty" toml:"asDefault,omitempty" yaml:"asDefault,omitempty"`
 	Transport        *EntryPointsTransport `description:"Configures communication between clients and Traefik." json:"transport,omitempty" toml:"transport,omitempty" yaml:"transport,omitempty" export:"true"`
 	ProxyProtocol    *ProxyProtocol        `description:"Proxy-Protocol configuration." json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`

pkg/config/static/static_config.go

@@ -194,9 +194,9 @@ func (a *LifeCycle) SetDefaults() {
 // Tracing holds the tracing configuration.
 type Tracing struct {
 	ServiceName      string            `description:"Set the name for this service." json:"serviceName,omitempty" toml:"serviceName,omitempty" yaml:"serviceName,omitempty" export:"true"`
-	Headers          map[string]string `description:"Defines additional headers to be sent with the payloads." json:"headers,omitempty" toml:"headers,omitempty" yaml:"headers,omitempty" export:"true"`
 	GlobalAttributes map[string]string `description:"Defines additional attributes (key:value) on all spans." json:"globalAttributes,omitempty" toml:"globalAttributes,omitempty" yaml:"globalAttributes,omitempty" export:"true"`
 	SampleRate       float64           `description:"Sets the rate between 0.0 and 1.0 of requests to trace." json:"sampleRate,omitempty" toml:"sampleRate,omitempty" yaml:"sampleRate,omitempty" export:"true"`
+	AddInternals     bool              `description:"Enables tracing for internal services (ping, dashboard, etc...)." json:"addInternals,omitempty" toml:"addInternals,omitempty" yaml:"addInternals,omitempty" export:"true"`
 
 	OTLP *opentelemetry.Config `description:"Settings for OpenTelemetry." json:"otlp,omitempty" toml:"otlp,omitempty" yaml:"otlp,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 }
@@ -218,7 +218,7 @@ type Providers struct {
 	KubernetesIngress *ingress.Provider              `description:"Enable Kubernetes backend with default settings." json:"kubernetesIngress,omitempty" toml:"kubernetesIngress,omitempty" yaml:"kubernetesIngress,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	KubernetesCRD     *crd.Provider                  `description:"Enable Kubernetes backend with default settings." json:"kubernetesCRD,omitempty" toml:"kubernetesCRD,omitempty" yaml:"kubernetesCRD,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	KubernetesGateway *gateway.Provider              `description:"Enable Kubernetes gateway api provider with default settings." json:"kubernetesGateway,omitempty" toml:"kubernetesGateway,omitempty" yaml:"kubernetesGateway,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	Rest              *rest.Provider                 ` description:"Enable Rest backend with default settings." json:"rest,omitempty" toml:"rest,omitempty" yaml:"rest,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	Rest              *rest.Provider                 `description:"Enable Rest backend with default settings." json:"rest,omitempty" toml:"rest,omitempty" yaml:"rest,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	ConsulCatalog     *consulcatalog.ProviderBuilder `description:"Enable ConsulCatalog backend with default settings." json:"consulCatalog,omitempty" toml:"consulCatalog,omitempty" yaml:"consulCatalog,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	Nomad             *nomad.ProviderBuilder         `description:"Enable Nomad backend with default settings." json:"nomad,omitempty" toml:"nomad,omitempty" yaml:"nomad,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	Ecs               *ecs.Provider                  `description:"Enable AWS ECS backend with default settings." json:"ecs,omitempty" toml:"ecs,omitempty" yaml:"ecs,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
@@ -341,19 +341,17 @@ func (c *Configuration) ValidateConfiguration() error {
 	}
 
 	if c.Tracing != nil && c.Tracing.OTLP != nil {
-		if c.Tracing.OTLP.HTTP == nil && c.Tracing.OTLP.GRPC == nil {
-			return errors.New("tracing OTLP: at least one of HTTP and gRPC options should be defined")
-		}
-
-		if c.Tracing.OTLP.HTTP != nil && c.Tracing.OTLP.GRPC != nil {
-			return errors.New("tracing OTLP: HTTP and gRPC options are mutually exclusive")
-		}
-
 		if c.Tracing.OTLP.GRPC != nil && c.Tracing.OTLP.GRPC.TLS != nil && c.Tracing.OTLP.GRPC.Insecure {
 			return errors.New("tracing OTLP GRPC: TLS and Insecure options are mutually exclusive")
 		}
 	}
 
+	if c.Metrics != nil && c.Metrics.OTLP != nil {
+		if c.Metrics.OTLP.GRPC != nil && c.Metrics.OTLP.GRPC.TLS != nil && c.Metrics.OTLP.GRPC.Insecure {
+			return errors.New("metrics OTLP GRPC: TLS and Insecure options are mutually exclusive")
+		}
+	}
+
 	return nil
 }
 

pkg/metrics/datadog.go

@@ -2,6 +2,7 @@ package metrics
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	"github.com/go-kit/kit/metrics/dogstatsd"
@@ -16,6 +17,8 @@ var (
 	datadogLoopCancelFunc context.CancelFunc
 )
 
+const unixAddressPrefix = "unix://"
+
 // Metric names consistent with https://github.com/DataDog/integrations-extras/pull/64
 const (
 	ddConfigReloadsName           = "config.reload.total"
@@ -99,10 +102,7 @@ func RegisterDatadog(ctx context.Context, config *types.Datadog) Registry {
 }
 
 func initDatadogClient(ctx context.Context, config *types.Datadog) {
-	address := config.Address
+	network, address := parseDatadogAddress(config.Address)
-	if len(address) == 0 {
-		address = "localhost:8125"
-	}
 
 	ctx, datadogLoopCancelFunc = context.WithCancel(ctx)
 
@@ -110,10 +110,27 @@ func initDatadogClient(ctx context.Context, config *types.Datadog) {
 		ticker := time.NewTicker(time.Duration(config.PushInterval))
 		defer ticker.Stop()
 
-		datadogClient.SendLoop(ctx, ticker.C, "udp", address)
+		datadogClient.SendLoop(ctx, ticker.C, network, address)
 	})
 }
 
+func parseDatadogAddress(address string) (string, string) {
+	network := "udp"
+
+	var addr string
+	switch {
+	case strings.HasPrefix(address, unixAddressPrefix):
+		network = "unix"
+		addr = address[len(unixAddressPrefix):]
+	case address != "":
+		addr = address
+	default:
+		addr = "localhost:8125"
+	}
+
+	return network, addr
+}
+
 // StopDatadog stops the Datadog metrics pusher.
 func StopDatadog() {
 	if datadogLoopCancelFunc != nil {

pkg/metrics/datadog_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stvp/go-udp-testing"
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v3/pkg/types"
@@ -39,6 +40,44 @@ func TestDatadogWithPrefix(t *testing.T) {
 	testDatadogRegistry(t, "testPrefix", datadogRegistry)
 }
 
+func TestDatadog_parseDatadogAddress(t *testing.T) {
+	tests := []struct {
+		desc       string
+		address    string
+		expNetwork string
+		expAddress string
+	}{
+		{
+			desc:       "empty address",
+			expNetwork: "udp",
+			expAddress: "localhost:8125",
+		},
+		{
+			desc:       "udp address",
+			address:    "127.0.0.1:8080",
+			expNetwork: "udp",
+			expAddress: "127.0.0.1:8080",
+		},
+		{
+			desc:       "unix address",
+			address:    "unix:///path/to/datadog.socket",
+			expNetwork: "unix",
+			expAddress: "/path/to/datadog.socket",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			gotNetwork, gotAddress := parseDatadogAddress(test.address)
+			assert.Equal(t, test.expNetwork, gotNetwork)
+			assert.Equal(t, test.expAddress, gotAddress)
+		})
+	}
+}
+
 func testDatadogRegistry(t *testing.T, metricsPrefix string, datadogRegistry Registry) {
 	t.Helper()
 

pkg/metrics/opentelemetry.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/url"
 	"strings"
 	"sync"
 	"time"
@@ -30,7 +31,7 @@ var (
 )
 
 // RegisterOpenTelemetry registers all OpenTelemetry metrics.
-func RegisterOpenTelemetry(ctx context.Context, config *types.OpenTelemetry) Registry {
+func RegisterOpenTelemetry(ctx context.Context, config *types.OTLP) Registry {
 	if openTelemetryMeterProvider == nil {
 		var err error
 		if openTelemetryMeterProvider, err = newOpenTelemetryMeterProvider(ctx, config); err != nil {
@@ -123,15 +124,15 @@ func StopOpenTelemetry() {
 }
 
 // newOpenTelemetryMeterProvider creates a new controller.Controller.
-func newOpenTelemetryMeterProvider(ctx context.Context, config *types.OpenTelemetry) (*sdkmetric.MeterProvider, error) {
+func newOpenTelemetryMeterProvider(ctx context.Context, config *types.OTLP) (*sdkmetric.MeterProvider, error) {
 	var (
 		exporter sdkmetric.Exporter
 		err      error
 	)
 	if config.GRPC != nil {
-		exporter, err = newGRPCExporter(ctx, config)
+		exporter, err = newGRPCExporter(ctx, config.GRPC)
 	} else {
-		exporter, err = newHTTPExporter(ctx, config)
+		exporter, err = newHTTPExporter(ctx, config.HTTP)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("creating exporter: %w", err)
@@ -168,24 +169,24 @@ func newOpenTelemetryMeterProvider(ctx context.Context, config *types.OpenTeleme
 	return meterProvider, nil
 }
 
-func newHTTPExporter(ctx context.Context, config *types.OpenTelemetry) (sdkmetric.Exporter, error) {
+func newHTTPExporter(ctx context.Context, config *types.OtelHTTP) (sdkmetric.Exporter, error) {
-	host, port, err := net.SplitHostPort(config.Address)
+	endpoint, err := url.Parse(config.Endpoint)
 	if err != nil {
-		return nil, fmt.Errorf("invalid collector address %q: %w", config.Address, err)
+		return nil, fmt.Errorf("invalid collector endpoint %q: %w", config.Endpoint, err)
 	}
 
 	opts := []otlpmetrichttp.Option{
-		otlpmetrichttp.WithEndpoint(fmt.Sprintf("%s:%s", host, port)),
+		otlpmetrichttp.WithEndpoint(endpoint.Host),
 		otlpmetrichttp.WithHeaders(config.Headers),
 		otlpmetrichttp.WithCompression(otlpmetrichttp.GzipCompression),
 	}
 
-	if config.Insecure {
+	if endpoint.Scheme == "http" {
 		opts = append(opts, otlpmetrichttp.WithInsecure())
 	}
 
-	if config.Path != "" {
+	if endpoint.Path != "" {
-		opts = append(opts, otlpmetrichttp.WithURLPath(config.Path))
+		opts = append(opts, otlpmetrichttp.WithURLPath(endpoint.Path))
 	}
 
 	if config.TLS != nil {
@@ -200,10 +201,10 @@ func newHTTPExporter(ctx context.Context, config *types.OpenTelemetry) (sdkmetri
 	return otlpmetrichttp.New(ctx, opts...)
 }
 
-func newGRPCExporter(ctx context.Context, config *types.OpenTelemetry) (sdkmetric.Exporter, error) {
+func newGRPCExporter(ctx context.Context, config *types.OtelGRPC) (sdkmetric.Exporter, error) {
-	host, port, err := net.SplitHostPort(config.Address)
+	host, port, err := net.SplitHostPort(config.Endpoint)
 	if err != nil {
-		return nil, fmt.Errorf("invalid collector address %q: %w", config.Address, err)
+		return nil, fmt.Errorf("invalid collector endpoint %q: %w", config.Endpoint, err)
 	}
 
 	opts := []otlpmetricgrpc.Option{

pkg/metrics/opentelemetry_test.go

@@ -8,7 +8,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"net/url"
 	"regexp"
 	"strconv"
 	"testing"
@@ -316,14 +315,12 @@ func TestOpenTelemetry(t *testing.T) {
 		ts.Close()
 	})
 
-	sURL, err := url.Parse(ts.URL)
+	var cfg types.OTLP
-	require.NoError(t, err)
-
-	var cfg types.OpenTelemetry
 	(&cfg).SetDefaults()
 	cfg.AddRoutersLabels = true
-	cfg.Address = sURL.Host
+	cfg.HTTP = &types.OtelHTTP{
-	cfg.Insecure = true
+		Endpoint: ts.URL,
+	}
 	cfg.PushInterval = ptypes.Duration(10 * time.Millisecond)
 
 	registry := RegisterOpenTelemetry(context.Background(), &cfg)

pkg/middlewares/accesslog/logger_test.go

@@ -27,6 +27,8 @@ import (
 	"github.com/traefik/traefik/v3/pkg/types"
 )
 
+const delta float64 = 1e-10
+
 var (
 	logFileNameSuffix       = "/traefik/logger/test.log"
 	testContent             = "Hello, World"
@@ -280,7 +282,7 @@ func assertFloat64(exp float64) func(t *testing.T, actual interface{}) {
 	return func(t *testing.T, actual interface{}) {
 		t.Helper()
 
-		assert.Equal(t, exp, actual)
+		assert.InDelta(t, exp, actual, delta)
 	}
 }
 

pkg/middlewares/addprefix/add_prefix.go

@@ -2,7 +2,7 @@ package addprefix
 
 import (
 	"context"
-	"fmt"
+	"errors"
 	"net/http"
 
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"
@@ -33,7 +33,7 @@ func New(ctx context.Context, next http.Handler, config dynamic.AddPrefix, name
 			name:   name,
 		}
 	} else {
-		return nil, fmt.Errorf("prefix cannot be empty")
+		return nil, errors.New("prefix cannot be empty")
 	}
 
 	return result, nil

pkg/middlewares/auth/forward.go

@@ -15,6 +15,7 @@ import (
 	"github.com/traefik/traefik/v3/pkg/middlewares"
 	"github.com/traefik/traefik/v3/pkg/middlewares/connectionheader"
 	"github.com/traefik/traefik/v3/pkg/tracing"
+	"github.com/traefik/traefik/v3/pkg/types"
 	"github.com/vulcand/oxy/v2/forward"
 	"github.com/vulcand/oxy/v2/utils"
 	"go.opentelemetry.io/otel/trace"
@@ -53,7 +54,8 @@ type forwardAuth struct {
 
 // NewForward creates a forward auth middleware.
 func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAuth, name string) (http.Handler, error) {
-	middlewares.GetLogger(ctx, name, typeNameForward).Debug().Msg("Creating middleware")
+	logger := middlewares.GetLogger(ctx, name, typeNameForward)
+	logger.Debug().Msg("Creating middleware")
 
 	addAuthCookiesToResponse := make(map[string]struct{})
 	for _, cookieName := range config.AddAuthCookiesToResponse {
@@ -79,7 +81,18 @@ func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAu
 	}
 
 	if config.TLS != nil {
-		tlsConfig, err := config.TLS.CreateTLSConfig(ctx)
+		if config.TLS.CAOptional != nil {
+			logger.Warn().Msg("CAOptional option is deprecated, TLS client authentication is a server side option, please remove any usage of this option.")
+		}
+
+		clientTLS := &types.ClientTLS{
+			CA:                 config.TLS.CA,
+			Cert:               config.TLS.Cert,
+			Key:                config.TLS.Key,
+			InsecureSkipVerify: config.TLS.InsecureSkipVerify,
+		}
+
+		tlsConfig, err := clientTLS.CreateTLSConfig(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}

pkg/middlewares/auth/forward_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/traefik/traefik/v3/pkg/testhelpers"
 	"github.com/traefik/traefik/v3/pkg/tracing"
 	"github.com/traefik/traefik/v3/pkg/tracing/opentelemetry"
+	"github.com/traefik/traefik/v3/pkg/types"
 	"github.com/traefik/traefik/v3/pkg/version"
 	"github.com/vulcand/oxy/v2/forward"
 	"go.opentelemetry.io/otel"
@@ -500,7 +501,7 @@ func TestForwardAuthUsesTracing(t *testing.T) {
 		ServiceName: "testApp",
 		SampleRate:  1,
 		OTLP: &opentelemetry.Config{
-			HTTP: &opentelemetry.HTTP{
+			HTTP: &types.OtelHTTP{
 				Endpoint: "http://127.0.0.1:8080",
 			},
 		},

pkg/middlewares/circuitbreaker/circuit_breaker.go

@@ -30,12 +30,14 @@ func New(ctx context.Context, next http.Handler, confCircuitBreaker dynamic.Circ
 	logger.Debug().Msg("Creating middleware")
 	logger.Debug().Msgf("Setting up with expression: %s", expression)
 
+	responseCode := confCircuitBreaker.ResponseCode
+
 	cbOpts := []cbreaker.Option{
 		cbreaker.Fallback(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 			tracing.SetStatusErrorf(req.Context(), "blocked by circuit-breaker (%q)", expression)
-			rw.WriteHeader(http.StatusServiceUnavailable)
+			rw.WriteHeader(responseCode)
 
-			if _, err := rw.Write([]byte(http.StatusText(http.StatusServiceUnavailable))); err != nil {
+			if _, err := rw.Write([]byte(http.StatusText(responseCode))); err != nil {
 				log.Ctx(req.Context()).Error().Err(err).Send()
 			}
 		})),

pkg/middlewares/compress/brotli/brotli.go

@@ -2,6 +2,7 @@ package brotli
 
 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"io"
 	"mime"
@@ -34,11 +35,11 @@ type Config struct {
 // NewWrapper returns a new Brotli compressing wrapper.
 func NewWrapper(cfg Config) (func(http.Handler) http.HandlerFunc, error) {
 	if cfg.MinSize < 0 {
-		return nil, fmt.Errorf("minimum size must be greater than or equal to zero")
+		return nil, errors.New("minimum size must be greater than or equal to zero")
 	}
 
 	if len(cfg.ExcludedContentTypes) > 0 && len(cfg.IncludedContentTypes) > 0 {
-		return nil, fmt.Errorf("excludedContentTypes and includedContentTypes options are mutually exclusive")
+		return nil, errors.New("excludedContentTypes and includedContentTypes options are mutually exclusive")
 	}
 
 	var excludedContentTypes []parsedContentType
@@ -138,6 +139,7 @@ func (r *responseWriter) Write(p []byte) (int, error) {
 	// If we detect a contentEncoding, we know we are never going to compress.
 	if r.rw.Header().Get(contentEncoding) != "" {
 		r.compressionDisabled = true
+		r.rw.WriteHeader(r.statusCode)
 		return r.rw.Write(p)
 	}
 

pkg/middlewares/compress/brotli/brotli_test.go

@@ -27,7 +27,7 @@ func Test_Vary(t *testing.T) {
 	rw := httptest.NewRecorder()
 	h.ServeHTTP(rw, req)
 
-	assert.Equal(t, http.StatusOK, rw.Code)
+	assert.Equal(t, http.StatusAccepted, rw.Code)
 	assert.Equal(t, acceptEncoding, rw.Header().Get(vary))
 }
 
@@ -41,7 +41,7 @@ func Test_SmallBodyNoCompression(t *testing.T) {
 	h.ServeHTTP(rw, req)
 
 	// With less than 1024 bytes the response should not be compressed.
-	assert.Equal(t, http.StatusOK, rw.Code)
+	assert.Equal(t, http.StatusAccepted, rw.Code)
 	assert.Empty(t, rw.Header().Get(contentEncoding))
 	assert.Equal(t, smallTestBody, rw.Body.Bytes())
 }
@@ -55,6 +55,7 @@ func Test_AlreadyCompressed(t *testing.T) {
 	rw := httptest.NewRecorder()
 	h.ServeHTTP(rw, req)
 
+	assert.Equal(t, http.StatusAccepted, rw.Code)
 	assert.Equal(t, bigTestBody, rw.Body.Bytes())
 }
 
@@ -749,6 +750,7 @@ func newTestHandler(t *testing.T, body []byte) http.Handler {
 				rw.Header().Set("Content-Encoding", "br")
 			}
 
+			rw.WriteHeader(http.StatusAccepted)
 			_, err := rw.Write(body)
 			require.NoError(t, err)
 		}),

pkg/middlewares/compress/compress.go

@@ -2,6 +2,7 @@ package compress
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"mime"
 	"net/http"
@@ -38,7 +39,7 @@ func New(ctx context.Context, next http.Handler, conf dynamic.Compress, name str
 	middlewares.GetLogger(ctx, name, typeName).Debug().Msg("Creating middleware")
 
 	if len(conf.ExcludedContentTypes) > 0 && len(conf.IncludedContentTypes) > 0 {
-		return nil, fmt.Errorf("excludedContentTypes and includedContentTypes options are mutually exclusive")
+		return nil, errors.New("excludedContentTypes and includedContentTypes options are mutually exclusive")
 	}
 
 	excludes := []string{"application/grpc"}

pkg/middlewares/contenttype/content_type.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
 	"github.com/traefik/traefik/v3/pkg/middlewares"
 )
 
@@ -18,8 +19,19 @@ type contentType struct {
 }
 
 // New creates a new handler.
-func New(ctx context.Context, next http.Handler, name string) (http.Handler, error) {
+func New(ctx context.Context, next http.Handler, config dynamic.ContentType, name string) (http.Handler, error) {
-	middlewares.GetLogger(ctx, name, typeName).Debug().Msg("Creating middleware")
+	logger := middlewares.GetLogger(ctx, name, typeName)
+	logger.Debug().Msg("Creating middleware")
+
+	if config.AutoDetect != nil {
+		logger.Warn().Msg("AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.")
+
+		// Disable content-type detection (idempotent).
+		if !*config.AutoDetect {
+			return next, nil
+		}
+	}
+
 	return &contentType{next: next, name: name}, nil
 }
 

pkg/middlewares/contenttype/content_type_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
 	"github.com/traefik/traefik/v3/pkg/testhelpers"
 )
 
@@ -60,7 +61,7 @@ func TestAutoDetection(t *testing.T) {
 
 			if test.autoDetect {
 				var err error
-				next, err = New(context.Background(), next, "foo-content-type")
+				next, err = New(context.Background(), next, dynamic.ContentType{}, "foo-content-type")
 				require.NoError(t, err)
 			}
 

pkg/middlewares/stripprefix/strip_prefix.go

@@ -21,15 +21,27 @@ type stripPrefix struct {
 	next     http.Handler
 	prefixes []string
 	name     string
+
+	// Deprecated: Must be removed (breaking), the default behavior must be forceSlash=false
+	forceSlash bool
 }
 
 // New creates a new strip prefix middleware.
 func New(ctx context.Context, next http.Handler, config dynamic.StripPrefix, name string) (http.Handler, error) {
-	middlewares.GetLogger(ctx, name, typeName).Debug().Msg("Creating middleware")
+	logger := middlewares.GetLogger(ctx, name, typeName)
+	logger.Debug().Msg("Creating middleware")
+
+	if config.ForceSlash != nil {
+		logger.Warn().Msgf("`ForceSlash` option is deprecated, please remove any usage of this option.")
+	}
+	// Handle default value (here because of deprecation and the removal of setDefault).
+	forceSlash := config.ForceSlash != nil && *config.ForceSlash
+
 	return &stripPrefix{
-		prefixes: config.Prefixes,
+		prefixes:   config.Prefixes,
-		next:     next,
+		next:       next,
-		name:     name,
+		name:       name,
+		forceSlash: forceSlash,
 	}, nil
 }
 
@@ -58,6 +70,13 @@ func (s *stripPrefix) serveRequest(rw http.ResponseWriter, req *http.Request, pr
 }
 
 func (s *stripPrefix) getPrefixStripped(urlPath, prefix string) string {
+	if s.forceSlash {
+		// Only for compatibility reason with the previous behavior,
+		// but the previous behavior is wrong.
+		// This needs to be removed in the next breaking version.
+		return "/" + strings.TrimPrefix(strings.TrimPrefix(urlPath, prefix), "/")
+	}
+
 	return ensureLeadingSlash(strings.TrimPrefix(urlPath, prefix))
 }
 

pkg/middlewares/stripprefix/strip_prefix_test.go

@@ -146,6 +146,9 @@ func TestStripPrefix(t *testing.T) {
 				requestURI = r.RequestURI
 			})
 
+			pointer := func(v bool) *bool { return &v }
+			test.config.ForceSlash = pointer(false)
+
 			handler, err := New(context.Background(), next, test.config, "foo-strip-prefix")
 			require.NoError(t, err)