---
date: 2022-09-04T05:04:00+01:00
title: Kubernetes/k3s Rancher with Traefik for HTTP/3
author: jochum
tags:
- kubernetes
- rancher
- traefik
---
Yesterday a friend of mine [Rei Bauer ](https://my.stargazer.at/ ) told me about HTTP/3 and how much faster it made her website.
She got new tools, I WANT THAT TOO.
For me that wasn't a 5 minutes job as I had to replace [ingress-nginx ](https://github.com/kubernetes/ingress-nginx ) with [traefik ](https://traefik.io/ ).
<!-- more -->
### Remove the current L7 Loadbalancer
- Remove Traefik
I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command:
**Do NOT use that command as is**
```bash
curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:< mysqlpw > @tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik
```
Let's see what it does:
- *--disable servicelb* - Do not install servicelb, I replaced it with metallb.
- *--disable traefik* - Do not install traefik
When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster.
- Remove ingress-nginx
```bash
helm uninstall -n kube-system ingress-nginx
```
If you haven't lost layer 7 access to your cluster in the last step you will loose it now :)
### Install traefik from the upstream sources
- Add the upstream helm catalog
```bash
helm repo add traefik https://helm.traefik.io/traefik
```
- Save my *traefik-values.yaml* somewhere:
```yaml
rbac:
enabled: true
ports:
web:
hostPort: 80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
hostPort: 443
http3:
advertisedPort: 443
tls:
enabled: true
websecure-udp:
port: 8443
hostPort: 443
protocol: UDP
podAnnotations:
prometheus.io/port: "8082"
prometheus.io/scrape: "true"
providers:
kubernetesIngress:
publishedService:
enabled: true
allowExternalNameServices: true
kubernetesCRD:
allowExternalNameServices: true
priorityClassName: "system-cluster-critical"
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
experimental:
http3:
enabled: true
additionalArguments:
- "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
image:
name: traefik
tag: v2.8.4
proxyProtocol:
enabled: true
trustedIPs:
- 10.0.0.0/8
forwardedHeaders:
enabled: true
trustedIPs:
- 10.0.0.0/8
ssl:
enabled: true
permanentRedirect: true
certResolvers:
letsencrypt-prod:
email: support@jochum.dev
tlsChallenge: true
storage: /data/acme.json
logs:
# general:
# format: json
access:
enabled: true
# format: json
fields:
headers:
defaultmode: drop
names:
User-Agent: keep
Content-Type: keep
RequestLine: keep
persistence:
enabled: true
```
- Change the acme email address there
- Install traefik
```bash
helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml
```
Have fun with Traefik, it's internal ACME resolver and HTTP/3.
