From 2875bf9d4e726ccacae6915bb4ed0eaa7d8210b1 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 7 Feb 2026 20:43:49 +0000
Subject: [PATCH] [ci skip] Enable HTTP/3 (QUIC) for all ingresses

- Add http3.enabled + advertisedPort=443 to Traefik websecure entrypoint
- Add cloudflare_zone_settings_override to enable HTTP/3 for proxied domains
---
 modules/kubernetes/cloudflared/cloudflare.tf | 9 +++++++++
 modules/kubernetes/traefik/main.tf           | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/modules/kubernetes/cloudflared/cloudflare.tf b/modules/kubernetes/cloudflared/cloudflare.tf
index 7bf71269..69722ff4 100644
--- a/modules/kubernetes/cloudflared/cloudflare.tf
+++ b/modules/kubernetes/cloudflared/cloudflare.tf
@@ -148,3 +148,12 @@ resource "cloudflare_record" "keyserver" {
   priority = 1
   zone_id  = var.cloudflare_zone_id
 }
+
+# Enable HTTP/3 (QUIC) for Cloudflare-proxied domains
+resource "cloudflare_zone_settings_override" "http3" {
+  zone_id = var.cloudflare_zone_id
+
+  settings {
+    http3 = "on"
+  }
+}
diff --git a/modules/kubernetes/traefik/main.tf b/modules/kubernetes/traefik/main.tf
index 04ce540e..eb4092e7 100644
--- a/modules/kubernetes/traefik/main.tf
+++ b/modules/kubernetes/traefik/main.tf
@@ -87,7 +87,8 @@ resource "helm_release" "traefik" {
           }
         }
         http3 = {
-          enabled = true
+          enabled        = true
+          advertisedPort = 443
         }
       }
       dns-udp = {