traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon traefik

HTTP3 UDP Service Created even when part of H3 Config is Missing

Open developStorm opened this issue 2 years ago • 0 comments

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

v3.9.2

What version of Traefik are you using?

v2.8.0

What did you do?

Scenario 1

Created traefik with values:

ports:
  websecure:
    http3: true

experimental:
  http3:
    enabled: false

(I didn't actually have experimental section in my values file, just putting default values here to make things clearer)

I expect this should result in 443/UDP service to not be created, as http3 is not really configured properly when [experimental.http3.enabled] is set to false (the default behavior)

Scenario 2

Created traefik with values:

ports:
  websecure:
    http3: true

experimental:
  http3:
    enabled: true

Although this is highly unintuitive, I figured this should result in 443/UDP service to not be created. See this unit test: https://github.com/traefik/traefik-helm-chart/blob/1d0cf0e611d529615b322e10c30476d42a54a8c7/traefik/tests/pod-config_test.yaml#L340-L353

The unit test describes that http3 config flag should not present when tls is disabled. However, very unintuitivly, tls is default to false: https://github.com/traefik/traefik-helm-chart/blob/ce3dbf2eb2011388f16e3579b52e5f8f9f832225/traefik/values.yaml#L322-L338

Therefore when deploy traefik with values above, 443/UDP services shouldn't be created since H3 configuration is not complete.

What did you see instead?

In both two scenarios, service traefik-udp is created and listens on 443/UDP.

https://github.com/traefik/traefik-helm-chart/blob/cc2a4bbbc58906cf51a3ef2cff7493185cc5ec1a/traefik/templates/service.yaml#L110

Creation of this service gives the illusion that HTTP3 has been properly configured, but in reality it is not working correctly. This can be somwhat misleading.

Additional Information

My proposal on this issue is that:

  • In scenario 1, the udp service should not be created to avoid misleading users into thinking that http3 has been successfully configured.
  • In scenario 2, tls should be enabled by default for websecure endpoint. Disable tls explicitly for websecure is quite abrupt and seems inconsistent with traefik's default behavior.
    • Another thing is, even tls is disabled in entrypoint, one can still enable it for individual router via traefik.ingress.kubernetes.io/router.tls: "true" annotation. Also, I can't tell for sure but looks like traefik consider tls to be true if ingress have a traefik.ingress.kubernetes.io/router.tls.certresolver annotation, even tls is disabled on entrypoint and not explicitly enabled by the router.tls: "true" annotation.
    • So based on above, I think the http3 related arguments should be set regardless of the tls setting on the entrypoint. One can always enable the tls capability for certain routes later through dynamic configuration, and one would expect http3 to be enabled on those routes.

I would like to create a PR for this once the issue is offically confirmed.

developStorm avatar Jul 25 '22 12:07 developStorm