--- date: 2022-09-04T05:04:00+01:00 title: Kubernetes/k3s Rancher with Traefik for HTTP/3 author: jochum tags: - kubernetes - rancher - traefik --- Yesterday a friend of mine [Rei Bauer](https://my.stargazer.at/) told me about HTTP/3 and how much faster it made her website. She got new tools, I WANT THAT TOO. For me that wasn't a 5 minutes job as I had to replace [ingress-nginx](https://github.com/kubernetes/ingress-nginx) with [traefik](https://traefik.io/). ### Remove the current L7 Loadbalancer - Remove Traefik I have choosen to not use the k3s/rancher version (v2.6.x) of Traefik but use the latest and greatest (v2.8.x), so i modified my k3s with the following command: **Do NOT use that command as is** ```bash curl -sfL https://get.k3s.io | sh -s - server --datastore-endpoint="mysql://k3s:@tcp(maxscale-rw.example.com:3306)/k3s" --disable servicelb --disable traefik ``` Let's see what it does: - *--disable servicelb* - Do not install servicelb, I replaced it with metallb. - *--disable traefik* - Do not install traefik When you use the given command (with your own "datastore-endpoint") you will see that you loose access to all L7 Ingresses, so please be aware of that and make sure you have access over ssh to your cluster. - Remove ingress-nginx ```bash helm uninstall -n kube-system ingress-nginx ``` If you haven't lost layer 7 access to your cluster in the last step you will loose it now :) ### Install traefik from the upstream sources - Add the upstream helm catalog ```bash helm repo add traefik https://helm.traefik.io/traefik ``` - Save my *traefik-values.yaml* somewhere: ```yaml rbac: enabled: true ports: web: hostPort: 80 http: redirections: entryPoint: to: websecure scheme: https websecure: hostPort: 443 http3: advertisedPort: 443 tls: enabled: true websecure-udp: port: 443 hostPort: 443 protocol: UDP podAnnotations: prometheus.io/port: "8082" prometheus.io/scrape: "true" providers: kubernetesIngress: publishedService: enabled: true priorityClassName: "system-cluster-critical" tolerations: - key: "CriticalAddonsOnly" operator: "Exists" - key: "node-role.kubernetes.io/control-plane" operator: "Exists" effect: "NoSchedule" - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" experimental: http3: enabled: true additionalArguments: - "--providers.kubernetesingress.allowexternalnameservices" - "--providers.kubernetescrd.allowexternalnameservices" - "--entrypoints.websecure.http3.advertisedport=443" - "--certificatesresolvers.letsencrypt-prod.acme.tlschallenge" - "--certificatesresolvers.letsencrypt-prod.acme.email=support@jochum.dev" - "--certificatesresolvers.letsencrypt-prod.acme.storage=/data/acme.json" - "--certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" image: name: traefik tag: v2.8.4 proxyProtocol: enabled: true trustedIPs: - forwardedHeaders: enabled: true trustedIPs: - ssl: enabled: true permanentRedirect: true logs: # general: # format: json access: enabled: true # format: json fields: headers: defaultmode: drop names: User-Agent: keep Content-Type: keep RequestLine: keep persistence: enabled: true ``` - Change the acme email address there - Install traefik ```bash helm install -n kube-system traefik traefik/traefik -f traefik-values.yaml ``` Have fun with Traefik, it's internal ACME resolver and HTTP/3.