Remove deprecated options

.golangci.yml

@@ -134,14 +134,6 @@ issues:
   exclude:
     - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
     - "should have a package comment, unless it's in another file for this package"
-    - 'SA1019: cfg.SSLRedirect is deprecated'
-    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
-    - 'SA1019: cfg.SSLHost is deprecated'
-    - 'SA1019: cfg.SSLForceHost is deprecated'
-    - 'SA1019: cfg.FeaturePolicy is deprecated'
-    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
-    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
-    - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
   exclude-rules:
     - path: '(.+)_test.go'
       linters:

cmd/traefik/traefik.go

@@ -204,10 +204,6 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
-	if staticConfiguration.Pilot != nil {
-		log.Warn().Msg("Traefik Pilot has been removed.")
-	}
-
 	// Plugins
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)

docs/content/deprecation/features.md

@@ -2,33 +2,4 @@
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
 
-| Feature                                                     | Deprecated | End of Support | Removal |
+There is no feature deprecation in Traefik v3 for now.
-|-------------------------------------------------------------|------------|----------------|---------|
-| [Pilot](#pilot)                                             | 2.7        | 2.8            | 2.9     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8        | N/A            | 3.0     |
-| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                   | N/A        | 2.8            | N/A     |
-| [Nomad Namespace](#nomad-namespace)                         | 2.10       | N/A            | 3.0     |
-
-## Impact
-
-### Pilot
-
-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
-Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
-
-### TLS 1.0 and 1.1
-
-Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
-
-### Nomad Namespace
-
-Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
-please use the `namespaces` options instead.  

docs/content/middlewares/http/headers.md

@@ -364,43 +364,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.
 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 
-### `sslRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
 ### `sslProxyHeaders`
 
 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
 
-### `sslForceHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
 ### `stsSeconds`
 
 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -452,14 +420,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates
 
 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
 
-### `featurePolicy`
-
-!!! warning
-
-    Deprecated in favor of `permissionsPolicy`
-
-The `featurePolicy` allows sites to control browser features.
-
 ### `permissionsPolicy`
 
 The `permissionsPolicy` allows sites to control browser features.

docs/content/middlewares/http/stripprefix.md

@@ -88,85 +88,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-
-    - `forceSlash=true`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-    - `forceSlash=false`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: example
-spec:
-  stripPrefix:
-    prefixes:
-      - "/foobar"
-    forceSlash: false
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    example:
-      stripPrefix:
-        prefixes:
-          - "/foobar"
-        forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```

docs/content/migration/v2-to-v3.md

@@ -20,3 +20,13 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
 ## gRPC Metrics
 
 In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+## Deprecated Options Removal
+
+- The `pilot` option has been removed from the static configuration.
+- The `tracing.datadog.globaltag` option has been removed.
+- The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- the `preferServerCipherSuites` option has been removed.

docs/content/observability/tracing/datadog.md

@@ -65,30 +65,6 @@ tracing:
 --tracing.datadog.debug=true
 ```
 
-#### `globalTag`
-
-??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
-
-    _Optional, Default=empty_
-    
-    Applies a shared key:value tag on all spans.
-    
-    ```yaml tab="File (YAML)"
-    tracing:
-      datadog:
-        globalTag: sample
-    ```
-    
-    ```toml tab="File (TOML)"
-    [tracing]
-      [tracing.datadog]
-        globalTag = "sample"
-    ```
-    
-    ```bash tab="CLI"
-    --tracing.datadog.globalTag=sample
-    ```
-
 #### `globalTags`
 
 _Optional, Default=empty_

docs/content/providers/consul-catalog.md

@@ -667,41 +667,6 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/consul.md

@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/nomad.md

@@ -440,36 +440,6 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-
-    The `namespace` option defines the namespace in which the Nomad services will be discovered.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-
-    ```yaml tab="File (YAML)"
-    providers:
-      nomad:
-        namespace: "production"
-        # ...
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.nomad]
-      namespace = "production"
-      # ...
-    ```
-
-    ```bash tab="CLI"
-    --providers.nomad.namespace=production
-    # ...
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -31,7 +31,6 @@
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
-- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
@@ -54,7 +53,6 @@
 - "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
-- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware10.headers.framedeny=true"
 - "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
@@ -62,12 +60,8 @@
 - "traefik.http.middlewares.middleware10.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
-- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
-- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
-- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
-- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware10.headers.stspreload=true"
 - "traefik.http.middlewares.middleware10.headers.stsseconds=42"
@@ -118,7 +112,6 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
 - "traefik.http.middlewares.middleware20.retry.initialinterval=42"
-- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -159,7 +159,6 @@
         authRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
-          caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
@@ -175,10 +174,6 @@
         addVaryHeader = true
         allowedHosts = ["foobar", "foobar"]
         hostsProxyHeaders = ["foobar", "foobar"]
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
         stsSeconds = 42
         stsIncludeSubdomains = true
         stsPreload = true
@@ -191,7 +186,6 @@
         contentSecurityPolicy = "foobar"
         publicKey = "foobar"
         referrerPolicy = "foobar"
-        featurePolicy = "foobar"
         permissionsPolicy = "foobar"
         isDevelopment = true
         [http.middlewares.Middleware10.headers.customRequestHeaders]
@@ -282,7 +276,6 @@
     [http.middlewares.Middleware21]
       [http.middlewares.Middleware21.stripPrefix]
         prefixes = ["foobar", "foobar"]
-        forceSlash = true
     [http.middlewares.Middleware22]
       [http.middlewares.Middleware22.stripPrefixRegex]
         regex = ["foobar", "foobar"]
@@ -458,7 +451,6 @@
       cipherSuites = ["foobar", "foobar"]
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
-      preferServerCipherSuites = true
       alpnProtocols = ["foobar", "foobar"]
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
@@ -469,7 +461,6 @@
       cipherSuites = ["foobar", "foobar"]
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
-      preferServerCipherSuites = true
       alpnProtocols = ["foobar", "foobar"]
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]

docs/content/reference/dynamic-configuration/file.yaml

@@ -164,7 +164,6 @@ http:
         address: foobar
         tls:
           ca: foobar
-          caOptional: true
           cert: foobar
           key: foobar
           insecureSkipVerify: true
@@ -208,13 +207,9 @@ http:
         hostsProxyHeaders:
           - foobar
           - foobar
-        sslRedirect: true
-        sslTemporaryRedirect: true
-        sslHost: foobar
         sslProxyHeaders:
           name0: foobar
           name1: foobar
-        sslForceHost: true
         stsSeconds: 42
         stsIncludeSubdomains: true
         stsPreload: true
@@ -227,7 +222,6 @@ http:
         contentSecurityPolicy: foobar
         publicKey: foobar
         referrerPolicy: foobar
-        featurePolicy: foobar
         permissionsPolicy: foobar
         isDevelopment: true
     Middleware11:
@@ -319,7 +313,6 @@ http:
         prefixes:
           - foobar
           - foobar
-        forceSlash: true
     Middleware22:
       stripPrefixRegex:
         regex:
@@ -509,7 +502,6 @@ tls:
           - foobar
         clientAuthType: foobar
       sniStrict: true
-      preferServerCipherSuites: true
       alpnProtocols:
         - foobar
         - foobar
@@ -528,7 +520,6 @@ tls:
           - foobar
         clientAuthType: foobar
       sniStrict: true
-      preferServerCipherSuites: true
       alpnProtocols:
         - foobar
         - foobar

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

@@ -946,8 +946,6 @@ spec:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
                     properties:
-                      caOptional:
-                        type: boolean
                       caSecret:
                         description: CASecret is the name of the referenced Kubernetes
                           Secret containing the CA to validate the server certificate.
@@ -1066,9 +1064,6 @@ spec:
                     description: CustomResponseHeaders defines the header names and
                       values to apply to the response.
                     type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                   forceSTSHeader:
                     description: ForceSTSHeader defines whether to add the STS header
                       even when the connection is HTTP.
@@ -1104,12 +1099,6 @@ spec:
                       value. This allows sites to control whether browsers forward
                       the Referer header to other sites.
                     type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                   sslProxyHeaders:
                     additionalProperties:
                       type: string
@@ -1118,14 +1107,6 @@ spec:
                       useful when using other proxies (example: "X-Forwarded-Proto":
                       "https").'
                     type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                   stsIncludeSubdomains:
                     description: STSIncludeSubdomains defines whether the includeSubDomains
                       directive is appended to the Strict-Transport-Security header.
@@ -1467,11 +1448,6 @@ spec:
                   This middleware removes the specified prefixes from the URL path.
                   More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                 properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                   prefixes:
                     description: Prefixes defines the prefixes to strip from the request
                       URL.
@@ -1807,12 +1783,6 @@ spec:
                   will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                   VersionTLS13. Default: VersionTLS10.'
                 type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
               sniStrict:
                 description: SniStrict defines whether Traefik allows connections
                   from clients connections that do not specify a server_name extension.

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -193,7 +193,6 @@ spec:
       - foobar
     clientAuthType: RequireAndVerifyClientCert
   sniStrict: true
-  preferServerCipherSuites: true
   alpnProtocols:
     - foobar
     - foobar

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -37,7 +37,6 @@
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
-| `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/insecureSkipVerify` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/key` | `foobar` |
@@ -66,7 +65,6 @@
 | `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/featurePolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/forceSTSHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/frameDeny` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/0` | `foobar` |
@@ -75,12 +73,8 @@
 | `traefik/http/middlewares/Middleware10/headers/permissionsPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/publicKey` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/referrerPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslForceHost` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslHost` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslRedirect` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslTemporaryRedirect` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
@@ -135,7 +129,6 @@
 | `traefik/http/middlewares/Middleware19/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware20/retry/attempts` | `42` |
 | `traefik/http/middlewares/Middleware20/retry/initialInterval` | `42s` |
-| `traefik/http/middlewares/Middleware21/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/0` | `foobar` |
@@ -312,7 +305,6 @@
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
-| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
 | `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
@@ -325,7 +317,6 @@
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
-| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -31,7 +31,6 @@
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
@@ -54,7 +53,6 @@
 "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
 "traefik.http.middlewares.middleware10.headers.framedeny": "true",
 "traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
@@ -62,12 +60,8 @@
 "traefik.http.middlewares.middleware10.headers.permissionspolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.publickey": "foobar",
 "traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
 "traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
 "traefik.http.middlewares.middleware10.headers.stspreload": "true",
 "traefik.http.middlewares.middleware10.headers.stsseconds": "42",
@@ -118,7 +112,6 @@
 "traefik.http.middlewares.middleware19.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware20.retry.attempts": "42",
 "traefik.http.middlewares.middleware20.retry.initialinterval": "42",
-"traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.middlewares.middleware23.grpcweb.alloworigins": "foobar, foobar",

docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml

@@ -369,8 +369,6 @@ spec:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
                     properties:
-                      caOptional:
-                        type: boolean
                       caSecret:
                         description: CASecret is the name of the referenced Kubernetes
                           Secret containing the CA to validate the server certificate.
@@ -489,9 +487,6 @@ spec:
                     description: CustomResponseHeaders defines the header names and
                       values to apply to the response.
                     type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                   forceSTSHeader:
                     description: ForceSTSHeader defines whether to add the STS header
                       even when the connection is HTTP.
@@ -527,12 +522,6 @@ spec:
                       value. This allows sites to control whether browsers forward
                       the Referer header to other sites.
                     type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                   sslProxyHeaders:
                     additionalProperties:
                       type: string
@@ -541,14 +530,6 @@ spec:
                       useful when using other proxies (example: "X-Forwarded-Proto":
                       "https").'
                     type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                   stsIncludeSubdomains:
                     description: STSIncludeSubdomains defines whether the includeSubDomains
                       directive is appended to the Strict-Transport-Security header.
@@ -890,11 +871,6 @@ spec:
                   This middleware removes the specified prefixes from the URL path.
                   More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                 properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                   prefixes:
                     description: Prefixes defines the prefixes to strip from the request
                       URL.

docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml

@@ -88,12 +88,6 @@ spec:
                   will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                   VersionTLS13. Default: VersionTLS10.'
                 type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
               sniStrict:
                 description: SniStrict defines whether Traefik allows connections
                   from clients connections that do not specify a server_name extension.

docs/content/reference/static-configuration/cli-ref.md

@@ -417,9 +417,6 @@ Enable Consul backend with default settings. (Default: ```false```)
 `--providers.consul.endpoints`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)
 
-`--providers.consul.namespace`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
-
 `--providers.consul.namespaces`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).
 
@@ -429,9 +426,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.consul.tls.ca`:  
 TLS CA
 
-`--providers.consul.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consul.tls.cert`:  
 TLS cert
 
@@ -483,9 +477,6 @@ The URI scheme for the Consul server
 `--providers.consulcatalog.endpoint.tls.ca`:  
 TLS CA
 
-`--providers.consulcatalog.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consulcatalog.endpoint.tls.cert`:  
 TLS cert
 
@@ -501,9 +492,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `--providers.consulcatalog.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)
 
-`--providers.consulcatalog.namespace`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `--providers.consulcatalog.namespaces`:  
 Sets the namespaces used to discover services (Consul Enterprise only).
 
@@ -558,9 +546,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `--providers.docker.tls.ca`:  
 TLS CA
 
-`--providers.docker.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.docker.tls.cert`:  
 TLS cert
 
@@ -627,9 +612,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.etcd.tls.ca`:  
 TLS CA
 
-`--providers.etcd.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.etcd.tls.cert`:  
 TLS cert
 
@@ -672,9 +654,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `--providers.http.tls.ca`:  
 TLS CA
 
-`--providers.http.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.http.tls.cert`:  
 TLS cert
 
@@ -819,9 +798,6 @@ Set a response header timeout for Marathon. (Default: ```60```)
 `--providers.marathon.tls.ca`:  
 TLS CA
 
-`--providers.marathon.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.marathon.tls.cert`:  
 TLS cert
 
@@ -861,9 +837,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `--providers.nomad.endpoint.tls.ca`:  
 TLS CA
 
-`--providers.nomad.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.nomad.endpoint.tls.cert`:  
 TLS cert
 
@@ -879,9 +852,6 @@ Token is used to provide a per-request ACL token.
 `--providers.nomad.exposedbydefault`:  
 Expose Nomad services by default. (Default: ```true```)
 
-`--providers.nomad.namespace`:  
-Sets the Nomad namespace used to discover services.
-
 `--providers.nomad.namespaces`:  
 Sets the Nomad namespaces used to discover services.
 
@@ -945,9 +915,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.redis.tls.ca`:  
 TLS CA
 
-`--providers.redis.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.redis.tls.cert`:  
 TLS cert
 
@@ -1023,9 +990,6 @@ Sets the header name prefix used to store baggage items in a map.
 `--tracing.datadog.debug`:  
 Enables Datadog debug. (Default: ```false```)
 
-`--tracing.datadog.globaltag`:  
-Sets a key:value tag on all spans.
-
 `--tracing.datadog.globaltags.<name>`:  
 Sets a list of key:value tags on all spans.
 

docs/content/reference/static-configuration/env-ref.md

@@ -453,9 +453,6 @@ The URI scheme for the Consul server
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
 TLS cert
 
@@ -471,9 +468,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)
 
-`TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACE`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACES`:  
 Sets the namespaces used to discover services (Consul Enterprise only).
 
@@ -498,9 +492,6 @@ Watch Consul API events. (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)
 
-`TRAEFIK_PROVIDERS_CONSUL_NAMESPACE`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
-
 `TRAEFIK_PROVIDERS_CONSUL_NAMESPACES`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).
 
@@ -510,9 +501,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_CONSUL_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CERT`:  
 TLS cert
 
@@ -558,9 +546,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
 TLS cert
 
@@ -627,9 +612,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_ETCD_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_ETCD_TLS_CERT`:  
 TLS cert
 
@@ -672,9 +654,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `TRAEFIK_PROVIDERS_HTTP_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_HTTP_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_HTTP_TLS_CERT`:  
 TLS cert
 
@@ -822,9 +801,6 @@ Set a TLS handshake timeout for Marathon. (Default: ```5```)
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
 TLS cert
 
@@ -861,9 +837,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CERT`:  
 TLS cert
 
@@ -879,9 +852,6 @@ Token is used to provide a per-request ACL token.
 `TRAEFIK_PROVIDERS_NOMAD_EXPOSEDBYDEFAULT`:  
 Expose Nomad services by default. (Default: ```true```)
 
-`TRAEFIK_PROVIDERS_NOMAD_NAMESPACE`:  
-Sets the Nomad namespace used to discover services.
-
 `TRAEFIK_PROVIDERS_NOMAD_NAMESPACES`:  
 Sets the Nomad namespaces used to discover services.
 
@@ -945,9 +915,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_CA`:  
 TLS CA
 
-`TRAEFIK_PROVIDERS_REDIS_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_REDIS_TLS_CERT`:  
 TLS cert
 
@@ -1023,9 +990,6 @@ Sets the header name prefix used to store baggage items in a map.
 `TRAEFIK_TRACING_DATADOG_DEBUG`:  
 Enables Datadog debug. (Default: ```false```)
 
-`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Sets a key:value tag on all spans.
-
 `TRAEFIK_TRACING_DATADOG_GLOBALTAGS_<NAME>`:  
 Sets a list of key:value tags on all spans.
 

docs/content/reference/static-configuration/file.toml

@@ -71,7 +71,6 @@
     allowEmptyServices = true
     [providers.docker.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -96,7 +95,6 @@
     respectReadinessChecks = true
     [providers.marathon.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -159,7 +157,6 @@
     connectByDefault = true
     serviceName = "foobar"
     watch = true
-    namespace = "foobar"
     namespaces = ["foobar", "foobar"]
     [providers.consulCatalog.endpoint]
       address = "foobar"
@@ -169,7 +166,6 @@
       endpointWaitTime = "42s"
       [providers.consulCatalog.endpoint.tls]
         ca = "foobar"
-        caOptional = true
         cert = "foobar"
         key = "foobar"
         insecureSkipVerify = true
@@ -181,7 +177,6 @@
     constraints = "foobar"
     prefix = "foobar"
     stale = true
-    namespace = "foobar"
     namespaces = ["foobar", "foobar"]
     exposedByDefault = true
     refreshInterval = "42s"
@@ -192,7 +187,6 @@
       endpointWaitTime = "42s"
       [providers.nomad.endpoint.tls]
         ca = "foobar"
-        caOptional = true
         cert = "foobar"
         key = "foobar"
         insecureSkipVerify = true
@@ -212,11 +206,9 @@
     rootKey = "foobar"
     endpoints = ["foobar", "foobar"]
     token = "foobar"
-    namespace = "foobar"
     namespaces = ["foobar", "foobar"]
     [providers.consul.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -227,7 +219,6 @@
     password = "foobar"
     [providers.etcd.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -244,7 +235,6 @@
     db = 42
     [providers.redis.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -257,7 +247,6 @@
       name1 = "foobar"
     [providers.http.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -376,7 +365,6 @@
     sampleRate = 42.0
   [tracing.datadog]
     localAgentHostPort = "foobar"
-    globalTag = "foobar"
     [tracing.datadog.globalTags]
       tag1 = "foobar"
       tag2 = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -70,7 +70,6 @@ providers:
     defaultRule: foobar
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -96,7 +95,6 @@ providers:
     dcosToken: foobar
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -171,7 +169,6 @@ providers:
     connectByDefault: true
     serviceName: foobar
     watch: true
-    namespace: foobar
     namespaces:
       - foobar
       - foobar
@@ -183,7 +180,6 @@ providers:
       endpointWaitTime: 42s
       tls:
         ca: foobar
-        caOptional: true
         cert: foobar
         key: foobar
         insecureSkipVerify: true
@@ -195,7 +191,6 @@ providers:
     constraints: foobar
     prefix: foobar
     stale: true
-    namespace: foobar
     namespaces:
       - foobar
       - foobar
@@ -208,7 +203,6 @@ providers:
       endpointWaitTime: 42s
       tls:
         ca: foobar
-        caOptional: true
         cert: foobar
         key: foobar
         insecureSkipVerify: true
@@ -232,13 +226,11 @@ providers:
       - foobar
       - foobar
     token: foobar
-    namespace: foobar
     namespaces:
       - foobar
       - foobar
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -251,7 +243,6 @@ providers:
     password: foobar
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -272,7 +263,6 @@ providers:
     db: 42
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -285,7 +275,6 @@ providers:
       name1: foobar
     tls:
       ca: foobar
-      caOptional: true
       cert: foobar
       key: foobar
       insecureSkipVerify: true
@@ -402,7 +391,6 @@ tracing:
     sampleRate: 42
   datadog:
     localAgentHostPort: foobar
-    globalTag: foobar
     globalTags:
       tag1: foobar
       tag2: foobar

integration/consul_test.go

@@ -102,7 +102,6 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 
 	for k, v := range data {

integration/etcd_test.go

@@ -97,7 +97,6 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 
 	for k, v := range data {

integration/fixtures/k8s/01-traefik-crd.yml

@@ -946,8 +946,6 @@ spec:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
                     properties:
-                      caOptional:
-                        type: boolean
                       caSecret:
                         description: CASecret is the name of the referenced Kubernetes
                           Secret containing the CA to validate the server certificate.
@@ -1066,9 +1064,6 @@ spec:
                     description: CustomResponseHeaders defines the header names and
                       values to apply to the response.
                     type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                   forceSTSHeader:
                     description: ForceSTSHeader defines whether to add the STS header
                       even when the connection is HTTP.
@@ -1104,12 +1099,6 @@ spec:
                       value. This allows sites to control whether browsers forward
                       the Referer header to other sites.
                     type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                   sslProxyHeaders:
                     additionalProperties:
                       type: string
@@ -1118,14 +1107,6 @@ spec:
                       useful when using other proxies (example: "X-Forwarded-Proto":
                       "https").'
                     type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                   stsIncludeSubdomains:
                     description: STSIncludeSubdomains defines whether the includeSubDomains
                       directive is appended to the Strict-Transport-Security header.
@@ -1467,11 +1448,6 @@ spec:
                   This middleware removes the specified prefixes from the URL path.
                   More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                 properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                   prefixes:
                     description: Prefixes defines the prefixes to strip from the request
                       URL.
@@ -1807,12 +1783,6 @@ spec:
                   will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                   VersionTLS13. Default: VersionTLS10.'
                 type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
               sniStrict:
                 description: SniStrict defines whether Traefik allows connections
                   from clients connections that do not specify a server_name extension.

integration/redis_test.go

@@ -98,7 +98,6 @@ func (s *RedisSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "true",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 
 	for k, v := range data {

integration/testdata/rawdata-consul.json

@@ -112,8 +112,7 @@
         "prefixes": [
           "foo",
           "bar"
-        ],
+        ]
-        "forceSlash": true
       },
       "status": "enabled",
       "usedBy": [

integration/testdata/rawdata-etcd.json

@@ -112,8 +112,7 @@
         "prefixes": [
           "foo",
           "bar"
-        ],
+        ]
-        "forceSlash": true
       },
       "status": "enabled",
       "usedBy": [

integration/testdata/rawdata-redis.json

@@ -112,8 +112,7 @@
         "prefixes": [
           "foo",
           "bar"
-        ],
+        ]
-        "forceSlash": true
       },
       "status": "enabled",
       "usedBy": [

integration/testdata/rawdata-zk.json

@@ -112,8 +112,7 @@
         "prefixes": [
           "foo",
           "bar"
-        ],
+        ]
-        "forceSlash": true
       },
       "status": "enabled",
       "usedBy": [

integration/zk_test.go

@@ -100,7 +100,6 @@ func (s *ZookeeperSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 
 	for k, v := range data {

pkg/config/dynamic/fixtures/sample.toml

@@ -46,7 +46,6 @@
     httpClientTimeout = 42
     [providers.docker.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -71,7 +70,6 @@
     respectReadinessChecks = true
     [providers.marathon.tls]
       ca = "foobar"
-      caOptional = true
       cert = "foobar"
       key = "foobar"
       insecureSkipVerify = true
@@ -182,7 +180,6 @@
     sampleRate = 42.0
   [tracing.datadog]
     localAgentHostPort = "foobar"
-    globalTag = "foobar"
     debug = true
     prioritySampling = true
     traceIDHeaderName = "foobar"
@@ -292,7 +289,6 @@
         authRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware15.forwardAuth.tls]
           ca = "foobar"
-          caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
@@ -376,10 +372,6 @@
         addVaryHeader = true
         allowedHosts = ["foobar", "foobar"]
         hostsProxyHeaders = ["foobar", "foobar"]
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
         stsSeconds = 42
         stsIncludeSubdomains = true
         stsPreload = true
@@ -392,7 +384,6 @@
         contentSecurityPolicy = "foobar"
         publicKey = "foobar"
         referrerPolicy = "foobar"
-        featurePolicy = "foobar"
         isDevelopment = true
         [http.middlewares.Middleware8.headers.customRequestHeaders]
           name0 = "foobar"

pkg/config/dynamic/middlewares.go

@@ -260,17 +260,9 @@ type Headers struct {
 	AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"`
 	// HostsProxyHeaders defines the header keys that may hold a proxied hostname value for the request.
 	HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"`
-	// Deprecated: use EntryPoint redirection or RedirectScheme instead.
-	SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"`
-	// Deprecated: use EntryPoint redirection or RedirectScheme instead.
-	SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"`
-	// Deprecated: use RedirectRegex instead.
-	SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
 	// SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
 	// It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
 	SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"`
-	// Deprecated: use RedirectRegex instead.
-	SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
 	// STSSeconds defines the max-age of the Strict-Transport-Security header.
 	// If set to 0, the header is not set.
 	STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"`
@@ -299,8 +291,6 @@ type Headers struct {
 	// ReferrerPolicy defines the Referrer-Policy header value.
 	// This allows sites to control whether browsers forward the Referer header to other sites.
 	ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
-	// Deprecated: use PermissionsPolicy instead.
-	FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
 	// PermissionsPolicy defines the Permissions-Policy header value.
 	// This allows sites to control browser features.
 	PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
@@ -333,10 +323,6 @@ func (h *Headers) HasCorsHeadersDefined() bool {
 func (h *Headers) HasSecureHeadersDefined() bool {
 	return h != nil && (len(h.AllowedHosts) != 0 ||
 		len(h.HostsProxyHeaders) != 0 ||
-		h.SSLRedirect ||
-		h.SSLTemporaryRedirect ||
-		h.SSLForceHost ||
-		h.SSLHost != "" ||
 		len(h.SSLProxyHeaders) != 0 ||
 		h.STSSeconds != 0 ||
 		h.STSIncludeSubdomains ||
@@ -350,7 +336,6 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 		h.ContentSecurityPolicy != "" ||
 		h.PublicKey != "" ||
 		h.ReferrerPolicy != "" ||
-		h.FeaturePolicy != "" ||
 		h.PermissionsPolicy != "" ||
 		h.IsDevelopment)
 }
@@ -553,14 +538,6 @@ type Retry struct {
 type StripPrefix struct {
 	// Prefixes defines the prefixes to strip from the request URL.
 	Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
-	// ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
-	// Default: true.
-	ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated
-}
-
-// SetDefaults Default values for a StripPrefix.
-func (s *StripPrefix) SetDefaults() {
-	s.ForceSlash = true
 }
 
 // +k8s:deepcopy-gen=true

pkg/config/label/label_test.go

@@ -42,7 +42,6 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware7.forwardauth.authresponseheaders":                     "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.authrequestheaders":                      "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.ca":                                  "foobar",
-		"traefik.http.middlewares.Middleware7.forwardauth.tls.caoptional":                          "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.cert":                                "foobar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify":                  "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.key":                                 "foobar",
@@ -71,14 +70,9 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware8.headers.isdevelopment":                               "true",
 		"traefik.http.middlewares.Middleware8.headers.publickey":                                   "foobar",
 		"traefik.http.middlewares.Middleware8.headers.referrerpolicy":                              "foobar",
-		"traefik.http.middlewares.Middleware8.headers.featurepolicy":                               "foobar",
 		"traefik.http.middlewares.Middleware8.headers.permissionspolicy":                           "foobar",
-		"traefik.http.middlewares.Middleware8.headers.sslforcehost":                                "true",
-		"traefik.http.middlewares.Middleware8.headers.sslhost":                                     "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0":                       "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name1":                       "foobar",
-		"traefik.http.middlewares.Middleware8.headers.sslredirect":                                 "true",
-		"traefik.http.middlewares.Middleware8.headers.ssltemporaryredirect":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stspreload":                                  "true",
 		"traefik.http.middlewares.Middleware8.headers.stsseconds":                                  "42",
@@ -462,7 +456,6 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
-						ForceSlash: true,
 					},
 				},
 				"Middleware18": {
@@ -530,7 +523,6 @@ func TestDecodeConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
-							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@@ -587,14 +579,10 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
-						SSLRedirect:          true,
-						SSLTemporaryRedirect: true,
-						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
-						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@@ -607,7 +595,6 @@ func TestDecodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
-						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@@ -958,7 +945,6 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
-						ForceSlash: true,
 					},
 				},
 				"Middleware18": {
@@ -1034,7 +1020,6 @@ func TestEncodeConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
-							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@@ -1091,14 +1076,10 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
-						SSLRedirect:          true,
-						SSLTemporaryRedirect: true,
-						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
-						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@@ -1111,7 +1092,6 @@ func TestEncodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
-						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@@ -1231,7 +1211,6 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders":                     "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthRequestHeaders":                      "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA":                                  "foobar",
-		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional":                          "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert":                                "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify":                  "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key":                                 "foobar",
@@ -1260,14 +1239,9 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment":                               "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey":                                   "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy":                              "foobar",
-		"traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy":                               "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PermissionsPolicy":                           "foobar",
-		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost":                                "true",
-		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost":                                     "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0":                       "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1":                       "foobar",
-		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect":                                 "true",
-		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload":                                  "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds":                                  "42",
@@ -1318,7 +1292,6 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware16.Retry.Attempts":                                     "42",
 		"traefik.HTTP.Middlewares.Middleware16.Retry.InitialInterval":                              "1000000000",
 		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes":                               "foobar, fiibar",
-		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.ForceSlash":                             "true",
 		"traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex":                             "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware19.Compress.MinResponseBodyBytes":                      "42",
 		"traefik.HTTP.Middlewares.Middleware20.Plugin.tomato.aaa":                                  "foo1",

pkg/config/static/pilot.go

@@ -1,8 +0,0 @@
-package static
-
-// Pilot Configuration related to Traefik Pilot.
-// Deprecated.
-type Pilot struct {
-	Token     string `description:"Traefik Pilot token. (Deprecated)" json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty" loggable:"false"`
-	Dashboard bool   `description:"Enable Traefik Pilot in the dashboard. (Deprecated)" json:"dashboard,omitempty" toml:"dashboard,omitempty" yaml:"dashboard,omitempty"`
-}

pkg/config/static/static_config.go

@@ -78,9 +78,6 @@ type Configuration struct {
 
 	CertificatesResolvers map[string]CertificateResolver `description:"Certificates resolvers configuration." json:"certificatesResolvers,omitempty" toml:"certificatesResolvers,omitempty" yaml:"certificatesResolvers,omitempty" export:"true"`
 
-	// Deprecated.
-	Pilot *Pilot `description:"Traefik Pilot configuration (Deprecated)." json:"pilot,omitempty" toml:"pilot,omitempty" yaml:"pilot,omitempty" export:"true"`
-
 	Hub *hub.Provider `description:"Traefik Hub configuration." json:"hub,omitempty" toml:"hub,omitempty" yaml:"hub,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 
 	Experimental *Experimental `description:"experimental features." json:"experimental,omitempty" toml:"experimental,omitempty" yaml:"experimental,omitempty" export:"true"`
@@ -264,11 +261,6 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		}
 	}
 
-	// Enable anonymous usage when pilot is enabled.
-	if c.Pilot != nil {
-		c.Global.SendAnonymousUsage = true
-	}
-
 	// Disable Gateway API provider if not enabled in experimental.
 	if c.Experimental == nil || !c.Experimental.KubernetesGateway {
 		c.Providers.KubernetesGateway = nil
@@ -346,18 +338,6 @@ func (c *Configuration) ValidateConfiguration() error {
 		acmeEmail = resolver.ACME.Email
 	}
 
-	if c.Providers.ConsulCatalog != nil && c.Providers.ConsulCatalog.Namespace != "" && len(c.Providers.ConsulCatalog.Namespaces) > 0 {
-		return fmt.Errorf("Consul Catalog provider cannot have both namespace and namespaces options configured")
-	}
-
-	if c.Providers.Consul != nil && c.Providers.Consul.Namespace != "" && len(c.Providers.Consul.Namespaces) > 0 {
-		return fmt.Errorf("Consul provider cannot have both namespace and namespaces options configured")
-	}
-
-	if c.Providers.Nomad != nil && c.Providers.Nomad.Namespace != "" && len(c.Providers.Nomad.Namespaces) > 0 {
-		return fmt.Errorf("Nomad provider cannot have both namespace and namespaces options configured")
-	}
-
 	return nil
 }
 

pkg/middlewares/headers/header.go

@@ -1,16 +1,13 @@
 package headers
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"regexp"
 	"strconv"
 	"strings"
 
-	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
-	"github.com/traefik/traefik/v2/pkg/logs"
 )
 
 // Header is a middleware that helps setup a few basic security features.
@@ -29,10 +26,6 @@ func NewHeader(next http.Handler, cfg dynamic.Headers) (*Header, error) {
 	hasCustomHeaders := cfg.HasCustomHeadersDefined()
 	hasCorsHeaders := cfg.HasCorsHeadersDefined()
 
-	ctx := log.With().Str(logs.MiddlewareType, typeName).Logger().WithContext(context.Background())
-
-	handleDeprecation(ctx, &cfg)
-
 	regexes := make([]*regexp.Regexp, len(cfg.AccessControlAllowOriginListRegex))
 	for i, str := range cfg.AccessControlAllowOriginListRegex {
 		reg, err := regexp.Compile(str)

pkg/middlewares/headers/headers.go

@@ -7,7 +7,6 @@ import (
 	"net/http"
 
 	"github.com/opentracing/opentracing-go/ext"
-	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/middlewares"
 	"github.com/traefik/traefik/v2/pkg/middlewares/connectionheader"
@@ -18,26 +17,6 @@ const (
 	typeName = "Headers"
 )
 
-func handleDeprecation(ctx context.Context, cfg *dynamic.Headers) {
-	logger := log.Ctx(ctx).Warn()
-
-	if cfg.SSLRedirect {
-		logger.Msg("SSLRedirect is deprecated, please use entrypoint redirection instead.")
-	}
-	if cfg.SSLTemporaryRedirect {
-		logger.Msg("SSLTemporaryRedirect is deprecated, please use entrypoint redirection instead.")
-	}
-	if cfg.SSLHost != "" {
-		logger.Msg("SSLHost is deprecated, please use RedirectRegex middleware instead.")
-	}
-	if cfg.SSLForceHost {
-		logger.Msg("SSLForceHost is deprecated, please use RedirectScheme middleware instead.")
-	}
-	if cfg.FeaturePolicy != "" {
-		logger.Msg("FeaturePolicy is deprecated, please use PermissionsPolicy header instead.")
-	}
-}
-
 type headers struct {
 	name    string
 	handler http.Handler
@@ -49,10 +28,6 @@ func New(ctx context.Context, next http.Handler, cfg dynamic.Headers, name strin
 	logger := middlewares.GetLogger(ctx, name, typeName)
 	logger.Debug().Msg("Creating middleware")
 
-	mCtx := logger.WithContext(ctx)
-
-	handleDeprecation(mCtx, &cfg)
-
 	hasSecureHeaders := cfg.HasSecureHeadersDefined()
 	hasCustomHeaders := cfg.HasCustomHeadersDefined()
 	hasCorsHeaders := cfg.HasCorsHeadersDefined()

pkg/middlewares/headers/secure.go

@@ -21,9 +21,6 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
 		ForceSTSHeader:          cfg.ForceSTSHeader,
 		FrameDeny:               cfg.FrameDeny,
 		IsDevelopment:           cfg.IsDevelopment,
-		SSLRedirect:             cfg.SSLRedirect,
-		SSLForceHost:            cfg.SSLForceHost,
-		SSLTemporaryRedirect:    cfg.SSLTemporaryRedirect,
 		STSIncludeSubdomains:    cfg.STSIncludeSubdomains,
 		STSPreload:              cfg.STSPreload,
 		ContentSecurityPolicy:   cfg.ContentSecurityPolicy,
@@ -31,12 +28,10 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
 		CustomFrameOptionsValue: cfg.CustomFrameOptionsValue,
 		PublicKey:               cfg.PublicKey,
 		ReferrerPolicy:          cfg.ReferrerPolicy,
-		SSLHost:                 cfg.SSLHost,
 		AllowedHosts:            cfg.AllowedHosts,
 		HostsProxyHeaders:       cfg.HostsProxyHeaders,
 		SSLProxyHeaders:         cfg.SSLProxyHeaders,
 		STSSeconds:              cfg.STSSeconds,
-		FeaturePolicy:           cfg.FeaturePolicy,
 		PermissionsPolicy:       cfg.PermissionsPolicy,
 		SecureContextKey:        contextKey,
 	}

pkg/middlewares/headers/secure_test.go

@@ -11,125 +11,12 @@ import (
 
 // Middleware tests based on https://github.com/unrolled/secure
 
-func Test_newSecure_sslForceHost(t *testing.T) {
-	type expected struct {
-		statusCode int
-		location   string
-	}
-
-	testCases := []struct {
-		desc string
-		host string
-		cfg  dynamic.Headers
-		expected
-	}{
-		{
-			desc: "http should return a 301",
-			host: "http://powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: true,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{
-				statusCode: http.StatusMovedPermanently,
-				location:   "https://powpow.example.com",
-			},
-		},
-		{
-			desc: "http sub domain should return a 301",
-			host: "http://www.powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: true,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{
-				statusCode: http.StatusMovedPermanently,
-				location:   "https://powpow.example.com",
-			},
-		},
-		{
-			desc: "https should return a 200",
-			host: "https://powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: true,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{statusCode: http.StatusOK},
-		},
-		{
-			desc: "https sub domain should return a 301",
-			host: "https://www.powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: true,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{
-				statusCode: http.StatusMovedPermanently,
-				location:   "https://powpow.example.com",
-			},
-		},
-		{
-			desc: "http without force host and sub domain should return a 301",
-			host: "http://www.powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: false,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{
-				statusCode: http.StatusMovedPermanently,
-				location:   "https://powpow.example.com",
-			},
-		},
-		{
-			desc: "https without force host and sub domain should return a 301",
-			host: "https://www.powpow.example.com",
-			cfg: dynamic.Headers{
-				SSLRedirect:  true,
-				SSLForceHost: false,
-				SSLHost:      "powpow.example.com",
-			},
-			expected: expected{statusCode: http.StatusOK},
-		},
-	}
-
-	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		_, _ = rw.Write([]byte("OK"))
-	})
-
-	for _, test := range testCases {
-		t.Run(test.desc, func(t *testing.T) {
-			mid := newSecure(next, test.cfg, "mymiddleware")
-
-			req := httptest.NewRequest(http.MethodGet, test.host, nil)
-
-			rw := httptest.NewRecorder()
-
-			mid.ServeHTTP(rw, req)
-
-			assert.Equal(t, test.expected.statusCode, rw.Result().StatusCode)
-			assert.Equal(t, test.expected.location, rw.Header().Get("Location"))
-		})
-	}
-}
-
 func Test_newSecure_modifyResponse(t *testing.T) {
 	testCases := []struct {
 		desc     string
 		cfg      dynamic.Headers
 		expected http.Header
 	}{
-		{
-			desc: "FeaturePolicy",
-			cfg: dynamic.Headers{
-				FeaturePolicy: "vibrate 'none';",
-			},
-			expected: http.Header{"Feature-Policy": []string{"vibrate 'none';"}},
-		},
 		{
 			desc: "PermissionsPolicy",
 			cfg: dynamic.Headers{

pkg/middlewares/stripprefix/strip_prefix.go

@@ -19,20 +19,18 @@ const (
 
 // stripPrefix is a middleware used to strip prefix from an URL request.
 type stripPrefix struct {
-	next       http.Handler
+	next     http.Handler
-	prefixes   []string
+	prefixes []string
-	forceSlash bool // TODO Must be removed (breaking), the default behavior must be forceSlash=false
+	name     string
-	name       string
 }
 
 // New creates a new strip prefix middleware.
 func New(ctx context.Context, next http.Handler, config dynamic.StripPrefix, name string) (http.Handler, error) {
 	middlewares.GetLogger(ctx, name, typeName).Debug().Msg("Creating middleware")
 	return &stripPrefix{
-		prefixes:   config.Prefixes,
+		prefixes: config.Prefixes,
-		forceSlash: config.ForceSlash,
+		next:     next,
-		next:       next,
+		name:     name,
-		name:       name,
 	}, nil
 }
 
@@ -61,13 +59,6 @@ func (s *stripPrefix) serveRequest(rw http.ResponseWriter, req *http.Request, pr
 }
 
 func (s *stripPrefix) getPrefixStripped(urlPath, prefix string) string {
-	if s.forceSlash {
-		// Only for compatibility reason with the previous behavior,
-		// but the previous behavior is wrong.
-		// This needs to be removed in the next breaking version.
-		return "/" + strings.TrimPrefix(strings.TrimPrefix(urlPath, prefix), "/")
-	}
-
 	return ensureLeadingSlash(strings.TrimPrefix(urlPath, prefix))
 }
 

pkg/middlewares/stripprefix/strip_prefix_test.go

@@ -31,17 +31,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/noprefixes",
 		},
-		{
-			desc: "wildcard (.*) requests (ForceSlash)",
-			config: dynamic.StripPrefix{
-				Prefixes:   []string{"/"},
-				ForceSlash: true,
-			},
-			path:               "/",
-			expectedStatusCode: http.StatusOK,
-			expectedPath:       "/",
-			expectedHeader:     "/",
-		},
 		{
 			desc: "wildcard (.*) requests",
 			config: dynamic.StripPrefix{
@@ -52,17 +41,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "",
 			expectedHeader:     "/",
 		},
-		{
-			desc: "prefix and path matching (ForceSlash)",
-			config: dynamic.StripPrefix{
-				Prefixes:   []string{"/stat"},
-				ForceSlash: true,
-			},
-			path:               "/stat",
-			expectedStatusCode: http.StatusOK,
-			expectedPath:       "/",
-			expectedHeader:     "/stat",
-		},
 		{
 			desc: "prefix and path matching",
 			config: dynamic.StripPrefix{
@@ -73,17 +51,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "",
 			expectedHeader:     "/stat",
 		},
-		{
-			desc: "path prefix on exactly matching path (ForceSlash)",
-			config: dynamic.StripPrefix{
-				Prefixes:   []string{"/stat/"},
-				ForceSlash: true,
-			},
-			path:               "/stat/",
-			expectedStatusCode: http.StatusOK,
-			expectedPath:       "/",
-			expectedHeader:     "/stat/",
-		},
 		{
 			desc: "path prefix on exactly matching path",
 			config: dynamic.StripPrefix{
@@ -133,17 +100,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "/us",
 			expectedHeader:     "/stat",
 		},
-		{
-			desc: "later prefix matching (ForceSlash)",
-			config: dynamic.StripPrefix{
-				Prefixes:   []string{"/mismatch", "/stat"},
-				ForceSlash: true,
-			},
-			path:               "/stat",
-			expectedStatusCode: http.StatusOK,
-			expectedPath:       "/",
-			expectedHeader:     "/stat",
-		},
 		{
 			desc: "later prefix matching",
 			config: dynamic.StripPrefix{

pkg/plugins/client.go

@@ -35,8 +35,7 @@ const (
 const pluginsURL = "https://plugins.traefik.io/public/"
 
 const (
-	hashHeader  = "X-Plugin-Hash"
+	hashHeader = "X-Plugin-Hash"
-	tokenHeader = "X-Token"
 )
 
 // ClientOptions the options of a Traefik plugins client.
@@ -49,7 +48,6 @@ type Client struct {
 	HTTPClient *http.Client
 	baseURL    *url.URL
 
-	token     string
 	archives  string
 	stateFile string
 	goPath    string
@@ -158,10 +156,6 @@ func (c *Client) Download(ctx context.Context, pName, pVersion string) (string,
 		req.Header.Set(hashHeader, hash)
 	}
 
-	if c.token != "" {
-		req.Header.Set(tokenHeader, c.token)
-	}
-
 	resp, err := c.HTTPClient.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("failed to call service: %w", err)
@@ -222,10 +216,6 @@ func (c *Client) Check(ctx context.Context, pName, pVersion, hash string) error
 		req.Header.Set(hashHeader, hash)
 	}
 
-	if c.token != "" {
-		req.Header.Set(tokenHeader, c.token)
-	}
-
 	resp, err := c.HTTPClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to call service: %w", err)

pkg/provider/consulcatalog/config_test.go

@@ -3070,7 +3070,6 @@ func Test_buildConfiguration(t *testing.T) {
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
-		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@@ -3078,11 +3077,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
-		{
-			desc:               "deprecated: use of defined namespace",
-			namespace:          "test-ns",
-			expectedNamespaces: []string{"test-ns"},
-		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@@ -3102,7 +3096,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 
 			pb := &ProviderBuilder{
-				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
 

pkg/provider/consulcatalog/consul_catalog.go

@@ -49,25 +49,15 @@ type itemData struct {
 type ProviderBuilder struct {
 	Configuration `yaml:",inline" export:"true"`
 
-	// Deprecated: use Namespaces option instead.
-	Namespace  string   `description:"Sets the namespace used to discover services (Consul Enterprise only)." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the namespaces used to discover services (Consul Enterprise only)." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
 
 // BuildProviders builds Consul Catalog provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
-	// We can warn about that, because we've already made sure before that
-	// Namespace and Namespaces are mutually exclusive.
-	if p.Namespace != "" {
-		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
-	}
-
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Configuration: p.Configuration,
 			name:          providerName,
-			// p.Namespace could very well be empty.
-			namespace: p.Namespace,
 		}}
 	}
 

pkg/provider/kubernetes/crd/kubernetes.go

@@ -623,7 +623,6 @@ func createForwardAuthMiddleware(k8sClient Client, namespace string, auth *v1alp
 	}
 
 	forwardAuth.TLS = &types.ClientTLS{
-		CAOptional:         auth.TLS.CAOptional,
 		InsecureSkipVerify: auth.TLS.InsecureSkipVerify,
 	}
 

pkg/provider/kubernetes/crd/kubernetes_test.go

@@ -5144,8 +5144,7 @@ func TestCrossNamespace(t *testing.T) {
 					Middlewares: map[string]*dynamic.Middleware{
 						"cross-ns-stripprefix": {
 							StripPrefix: &dynamic.StripPrefix{
-								Prefixes:   []string{"/stripit"},
+								Prefixes: []string{"/stripit"},
-								ForceSlash: false,
 							},
 						},
 					},
@@ -5215,8 +5214,7 @@ func TestCrossNamespace(t *testing.T) {
 					Middlewares: map[string]*dynamic.Middleware{
 						"cross-ns-stripprefix": {
 							StripPrefix: &dynamic.StripPrefix{
-								Prefixes:   []string{"/stripit"},
+								Prefixes: []string{"/stripit"},
-								ForceSlash: false,
 							},
 						},
 						"default-test-errorpage": {

pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go

@@ -167,7 +167,6 @@ type ClientTLS struct {
 	CertSecret string `json:"certSecret,omitempty"`
 	// InsecureSkipVerify defines whether the server certificates should be validated.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
-	CAOptional         bool `json:"caOptional,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go

@@ -41,10 +41,6 @@ type TLSOptionSpec struct {
 	ClientAuth ClientAuth `json:"clientAuth,omitempty"`
 	// SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
 	SniStrict bool `json:"sniStrict,omitempty"`
-	// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
-	// It is enabled automatically when minVersion or maxVersion is set.
-	// Deprecated: https://github.com/golang/go/issues/45430
-	PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
 	// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
 	// More info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols
 	ALPNProtocols []string `json:"alpnProtocols,omitempty"`

pkg/provider/kv/consul/consul.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/kvtools/consul"
-	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/provider"
 	"github.com/traefik/traefik/v2/pkg/provider/kv"
 	"github.com/traefik/traefik/v2/pkg/types"
@@ -25,8 +24,6 @@ type ProviderBuilder struct {
 	Token string           `description:"Per-request ACL token." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty" loggable:"false"`
 	TLS   *types.ClientTLS `description:"Enable TLS support." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 
-	// Deprecated: use Namespaces instead.
-	Namespace  string   `description:"Sets the namespace used to discover the configuration (Consul Enterprise only)." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the namespaces used to discover the configuration (Consul Enterprise only)." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
 
@@ -38,20 +35,12 @@ func (p *ProviderBuilder) SetDefaults() {
 
 // BuildProviders builds Consul provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
-	// We can warn about that, because we've already made sure before that
-	// Namespace and Namespaces are mutually exclusive.
-	if p.Namespace != "" {
-		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
-	}
-
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Provider: p.Provider,
 			name:     providerName,
-			// p.Namespace could very well be empty.
+			token:    p.Token,
-			namespace: p.Namespace,
+			tls:      p.TLS,
-			token:     p.Token,
-			tls:       p.TLS,
 		}}
 	}
 

pkg/provider/kv/consul/consul_test.go

@@ -9,7 +9,6 @@ import (
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
-		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@@ -17,11 +16,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
-		{
-			desc:               "deprecated: use of defined namespace",
-			namespace:          "test-ns",
-			expectedNamespaces: []string{"test-ns"},
-		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@@ -41,7 +35,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 
 			pb := &ProviderBuilder{
-				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
 

pkg/provider/kv/kv_test.go

@@ -79,7 +79,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/key":                                  "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/insecureSkipVerify":                   "true",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/ca":                                   "foobar",
-		"traefik/http/middlewares/Middleware08/forwardAuth/tls/caOptional":                           "true",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/cert":                                 "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/address":                                  "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/trustForwardHeader":                       "true",
@@ -106,12 +105,8 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware09/headers/accessControlAllowOriginListRegex/1":          "foobar",
 		"traefik/http/middlewares/Middleware09/headers/contentTypeNosniff":                           "true",
 		"traefik/http/middlewares/Middleware09/headers/accessControlAllowCredentials":                "true",
-		"traefik/http/middlewares/Middleware09/headers/featurePolicy":                                "foobar",
 		"traefik/http/middlewares/Middleware09/headers/permissionsPolicy":                            "foobar",
 		"traefik/http/middlewares/Middleware09/headers/forceSTSHeader":                               "true",
-		"traefik/http/middlewares/Middleware09/headers/sslRedirect":                                  "true",
-		"traefik/http/middlewares/Middleware09/headers/sslHost":                                      "foobar",
-		"traefik/http/middlewares/Middleware09/headers/sslForceHost":                                 "true",
 		"traefik/http/middlewares/Middleware09/headers/sslProxyHeaders/name1":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/sslProxyHeaders/name0":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/allowedHosts/0":                               "foobar",
@@ -130,7 +125,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware09/headers/addVaryHeader":                                "true",
 		"traefik/http/middlewares/Middleware09/headers/hostsProxyHeaders/0":                          "foobar",
 		"traefik/http/middlewares/Middleware09/headers/hostsProxyHeaders/1":                          "foobar",
-		"traefik/http/middlewares/Middleware09/headers/sslTemporaryRedirect":                         "true",
 		"traefik/http/middlewares/Middleware09/headers/customBrowserXSSValue":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/referrerPolicy":                               "foobar",
 		"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/0":                 "foobar",
@@ -206,7 +200,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware18/retry/attempts":                                       "42",
 		"traefik/http/middlewares/Middleware19/stripPrefix/prefixes/0":                               "foobar",
 		"traefik/http/middlewares/Middleware19/stripPrefix/prefixes/1":                               "foobar",
-		"traefik/http/middlewares/Middleware19/stripPrefix/forceSlash":                               "true",
 		"traefik/tcp/routers/TCPRouter0/entryPoints/0":                                               "foobar",
 		"traefik/tcp/routers/TCPRouter0/entryPoints/1":                                               "foobar",
 		"traefik/tcp/routers/TCPRouter0/service":                                                     "foobar",
@@ -378,7 +371,6 @@ func Test_buildConfiguration(t *testing.T) {
 							"foobar",
 							"foobar",
 						},
-						ForceSlash: true,
 					},
 				},
 				"Middleware00": {
@@ -413,7 +405,6 @@ func Test_buildConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
-							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@@ -589,14 +580,10 @@ func Test_buildConfiguration(t *testing.T) {
 							"foobar",
 							"foobar",
 						},
-						SSLRedirect:          true,
-						SSLTemporaryRedirect: true,
-						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name1": "foobar",
 							"name0": "foobar",
 						},
-						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@@ -609,7 +596,6 @@ func Test_buildConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
-						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},

pkg/provider/nomad/config_test.go

@@ -2611,7 +2611,6 @@ func Test_keepItem(t *testing.T) {
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
-		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@@ -2619,11 +2618,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
-		{
-			desc:               "deprecated: use of defined namespace",
-			namespace:          "test-ns",
-			expectedNamespaces: []string{"test-ns"},
-		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@@ -2643,7 +2637,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 
 			pb := &ProviderBuilder{
-				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
 

pkg/provider/nomad/nomad.go

@@ -52,23 +52,15 @@ type item struct {
 type ProviderBuilder struct {
 	Configuration `yaml:",inline" export:"true"`
 
-	// Deprecated: Use Namespaces option instead
-	Namespace  string   `description:"Sets the Nomad namespace used to discover services." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the Nomad namespaces used to discover services." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
 
 // BuildProviders builds Nomad provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
-	if p.Namespace != "" {
-		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
-	}
-
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Configuration: p.Configuration,
 			name:          providerName,
-			// p.Namespace could be empty
-			namespace: p.Namespace,
 		}}
 	}
 

pkg/redactor/redactor_config_test.go

@@ -175,8 +175,7 @@ func init() {
 					Prefix: "foo",
 				},
 				StripPrefix: &dynamic.StripPrefix{
-					Prefixes:   []string{"foo"},
+					Prefixes: []string{"foo"},
-					ForceSlash: true,
 				},
 				StripPrefixRegex: &dynamic.StripPrefixRegex{
 					Regex: []string{"foo"},
@@ -211,11 +210,7 @@ func init() {
 					AddVaryHeader:                     true,
 					AllowedHosts:                      []string{"foo"},
 					HostsProxyHeaders:                 []string{"foo"},
-					SSLRedirect:                       true,
-					SSLTemporaryRedirect:              true,
-					SSLHost:                           "foo",
 					SSLProxyHeaders:                   map[string]string{"foo": "bar"},
-					SSLForceHost:                      true,
 					STSSeconds:                        42,
 					STSIncludeSubdomains:              true,
 					STSPreload:                        true,
@@ -228,7 +223,6 @@ func init() {
 					ContentSecurityPolicy:             "foo",
 					PublicKey:                         "foo",
 					ReferrerPolicy:                    "foo",
-					FeaturePolicy:                     "foo",
 					PermissionsPolicy:                 "foo",
 					IsDevelopment:                     true,
 				},
@@ -278,7 +272,6 @@ func init() {
 					Address: "127.0.0.1",
 					TLS: &types.ClientTLS{
 						CA:                 "ca.pem",
-						CAOptional:         true,
 						Cert:               "cert.pem",
 						Key:                "cert.pem",
 						InsecureSkipVerify: true,
@@ -592,7 +585,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		DefaultRule: "PathPrefix(`/`)",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@@ -615,7 +607,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		DCOSToken:        "foobar",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@@ -691,7 +682,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 				Token:      "MyToken",
 				TLS: &types.ClientTLS{
 					CA:                 "myCa",
-					CAOptional:         true,
 					Cert:               "mycert.pem",
 					Key:                "mycert.key",
 					InsecureSkipVerify: true,
@@ -710,7 +700,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 			ExposedByDefault:  true,
 			DefaultRule:       "PathPrefix(`/`)",
 		},
-		Namespace:  "ns",
 		Namespaces: []string{"ns1", "ns2"},
 	}
 
@@ -735,12 +724,10 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Token: "secret",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
 		},
-		Namespace:  "ns",
 		Namespaces: []string{"ns1", "ns2"},
 	}
 
@@ -753,7 +740,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Password: "password",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@@ -778,7 +764,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Password: "password",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@@ -791,7 +776,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		PollTimeout:  42,
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
-			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@@ -903,7 +887,7 @@ func TestDo_staticConfiguration(t *testing.T) {
 		},
 		Datadog: &datadog.Config{
 			LocalAgentHostPort:         "foobar",
-			GlobalTag:                  "foobar",
+			GlobalTags:                 map[string]string{"foobar": "foobar"},
 			Debug:                      true,
 			PrioritySampling:           true,
 			TraceIDHeaderName:          "foobar",

pkg/redactor/testdata/anonymized-dynamic-config.json

@@ -99,8 +99,7 @@
         "stripPrefix": {
           "prefixes": [
             "foo"
-          ],
+          ]
-          "forceSlash": true
         },
         "stripPrefixRegex": {
           "regex": [
@@ -161,10 +160,6 @@
           "hostsProxyHeaders": [
             "foo"
           ],
-          "sslRedirect": true,
-          "sslTemporaryRedirect": true,
-          "sslHost": "xxxx",
-          "sslForceHost": true,
           "stsSeconds": 42,
           "stsIncludeSubdomains": true,
           "stsPreload": true,
@@ -177,7 +172,6 @@
           "contentSecurityPolicy": "xxxx",
           "publicKey": "xxxx",
           "referrerPolicy": "foo",
-          "featurePolicy": "foo",
           "permissionsPolicy": "foo",
           "isDevelopment": true
         },
@@ -235,7 +229,6 @@
           "address": "xxxx",
           "tls": {
             "ca": "xxxx",
-            "caOptional": true,
             "cert": "xxxx",
             "key": "xxxx",
             "insecureSkipVerify": true

pkg/redactor/testdata/anonymized-static-config.json

@@ -83,7 +83,6 @@
       "defaultRule": "xxxx",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
@@ -111,7 +110,6 @@
       "dcosToken": "xxxx",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
@@ -189,7 +187,6 @@
         "token": "xxxx",
         "tls": {
           "ca": "xxxx",
-          "caOptional": true,
           "cert": "xxxx",
           "key": "xxxx",
           "insecureSkipVerify": true
@@ -207,7 +204,6 @@
       "cache": true,
       "exposedByDefault": true,
       "defaultRule": "xxxx",
-      "namespace": "xxxx",
       "namespaces": [
         "xxxx",
         "xxxx"
@@ -233,12 +229,10 @@
       "token": "xxxx",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
       },
-      "namespace": "xxxx",
       "namespaces": [
         "xxxx",
         "xxxx"
@@ -248,7 +242,6 @@
       "rootKey": "xxxx",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
@@ -265,7 +258,6 @@
       "rootKey": "xxxx",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
@@ -279,7 +271,6 @@
       "pollTimeout": "42ns",
       "tls": {
         "ca": "xxxx",
-        "caOptional": true,
         "cert": "xxxx",
         "key": "xxxx",
         "insecureSkipVerify": true
@@ -394,7 +385,9 @@
     },
     "datadog": {
       "localAgentHostPort": "xxxx",
-      "globalTag": "foobar",
+      "globalTags": {
+        "foobar": "foobar"
+      },
       "debug": true,
       "prioritySampling": true,
       "traceIDHeaderName": "foobar",

pkg/redactor/testdata/secured-dynamic-config.json

@@ -99,8 +99,7 @@
         "stripPrefix": {
           "prefixes": [
             "foo"
-          ],
+          ]
-          "forceSlash": true
         },
         "stripPrefixRegex": {
           "regex": [
@@ -161,13 +160,9 @@
           "hostsProxyHeaders": [
             "foo"
           ],
-          "sslRedirect": true,
-          "sslTemporaryRedirect": true,
-          "sslHost": "foo",
           "sslProxyHeaders": {
             "foo": "bar"
           },
-          "sslForceHost": true,
           "stsSeconds": 42,
           "stsIncludeSubdomains": true,
           "stsPreload": true,
@@ -180,7 +175,6 @@
           "contentSecurityPolicy": "foo",
           "publicKey": "foo",
           "referrerPolicy": "foo",
-          "featurePolicy": "foo",
           "permissionsPolicy": "foo",
           "isDevelopment": true
         },
@@ -238,7 +232,6 @@
           "address": "127.0.0.1",
           "tls": {
             "ca": "ca.pem",
-            "caOptional": true,
             "cert": "cert.pem",
             "key": "xxxx",
             "insecureSkipVerify": true

pkg/tls/tls.go

@@ -18,14 +18,13 @@ type ClientAuth struct {
 
 // Options configures TLS for an entry point.
 type Options struct {
-	MinVersion               string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MinVersion       string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
-	MaxVersion               string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
+	MaxVersion       string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
-	CipherSuites             []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
+	CipherSuites     []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
-	CurvePreferences         []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
+	CurvePreferences []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
-	ClientAuth               ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
+	ClientAuth       ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
-	SniStrict                bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
+	SniStrict        bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
-	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"` // Deprecated: https://github.com/golang/go/issues/45430
+	ALPNProtocols    []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
-	ALPNProtocols            []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
 }
 
 // SetDefaults sets the default values for an Options struct.

pkg/tracing/datadog/datadog.go

@@ -4,7 +4,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"strings"
 
 	"github.com/opentracing/opentracing-go"
 	"github.com/rs/zerolog/log"
@@ -18,9 +17,7 @@ const Name = "datadog"
 
 // Config provides configuration settings for a datadog tracer.
 type Config struct {
-	LocalAgentHostPort string `description:"Sets the Datadog Agent host:port." json:"localAgentHostPort,omitempty" toml:"localAgentHostPort,omitempty" yaml:"localAgentHostPort,omitempty"`
+	LocalAgentHostPort         string            `description:"Sets the Datadog Agent host:port." json:"localAgentHostPort,omitempty" toml:"localAgentHostPort,omitempty" yaml:"localAgentHostPort,omitempty"`
-	// Deprecated: use GlobalTags instead.
-	GlobalTag                  string            `description:"Sets a key:value tag on all spans." json:"globalTag,omitempty" toml:"globalTag,omitempty" yaml:"globalTag,omitempty" export:"true"`
 	GlobalTags                 map[string]string `description:"Sets a list of key:value tags on all spans." json:"globalTags,omitempty" toml:"globalTags,omitempty" yaml:"globalTags,omitempty" export:"true"`
 	Debug                      bool              `description:"Enables Datadog debug." json:"debug,omitempty" toml:"debug,omitempty" yaml:"debug,omitempty" export:"true"`
 	PrioritySampling           bool              `description:"Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled." json:"prioritySampling,omitempty" toml:"prioritySampling,omitempty" yaml:"prioritySampling,omitempty" export:"true"`
@@ -66,17 +63,6 @@ func (c *Config) Setup(serviceName string) (opentracing.Tracer, io.Closer, error
 		opts = append(opts, datadog.WithGlobalTag(k, v))
 	}
 
-	if c.GlobalTag != "" {
-		logger.Warn().Msg(`Datadog: option "globalTag" is deprecated, please use "globalTags" instead.`)
-
-		key, value, _ := strings.Cut(c.GlobalTag, ":")
-
-		// Don't override a tag already defined with the new option.
-		if _, ok := c.GlobalTags[key]; !ok {
-			opts = append(opts, datadog.WithGlobalTag(key, value))
-		}
-	}
-
 	if c.PrioritySampling {
 		opts = append(opts, datadog.WithPrioritySampling())
 	}

pkg/types/tls.go

@@ -16,9 +16,7 @@ import (
 // ClientTLS holds TLS specific configurations as client
 // CA, Cert and Key can be either path or file contents.
 type ClientTLS struct {
-	CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
+	CA                 string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
-	// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
-	CAOptional         bool   `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
 	Cert               string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
 	Key                string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
 	InsecureSkipVerify bool   `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
@@ -31,10 +29,6 @@ func (c *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, error) {
 		return nil, nil
 	}
 
-	if c.CAOptional {
-		log.Ctx(ctx).Warn().Msg("CAOptional is deprecated, TLS client authentication is a server side option.")
-	}
-
 	// Not initialized, to rely on system bundle.
 	var caPool *x509.CertPool