On a sudden impulse, today I updated the Traefik in my cluster to v3. Unlike the transition from v1 to v2, v2 to v3 was very smooth. I only needed a few tiny tweaks to the configuration. One of those was that HTTP/3 support is no longer “experimental” and so it shouldn’t be configured as such. This started me on a weird quest on getting my sites to use H3.

The problem was that even though I supposedly had enabled HTTP/3 in Traefik’s manifests (the Helm values), it just wouldn’t work. I kinda gave up on Firefox reflecting the changes (I assumed that some kind of caching is getting in the way), but online tools kept returning negative as well. Testing with a local docker-based setup, I confirmed that it does work in Traefik itself. Therefore the issue had to be either in my VPS or k3s. At least so I thought.

Looking at the server’s iptables -nvL | grep udp the problem became somewhat clearer:

/* kube-system/traefik-udp:websecure-http3 has no endpoints */ udp dpt:443 reject-with icmp-port-unreachable

But why would it say that the websecure-http3 had no endpoints? It’s created by Traefik automatically and it really should have endpoints all right. I could see in Argo that the Traefik Service for UDP was created. Long story short, it was an issue of the Traefik Deployment not getting synced when it was updated in Argo, so it didn’t have the websecure-http3 port added.

Starting a manual sync in Argo with Replace (recreate) enabled, once the resources came back online everything was working as expected, and I could confirm using online tools (and other browsers) that HTTP/3 is now available. Now to wait for Firefox to notice that too…