From 0940cc20f888c0a11f870acb70d84f8fecd3b5d8 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:44:13 +1000 Subject: [PATCH] fix(traefik): listen on port 443 directly for Gateway API compatibility (#138) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Problem Gateway listeners with `port: 443` were rejected with `PortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS"`. Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's `exposedPort`. The `websecure` entryPoint was configured on port `8443`, so port `443` listeners had no match. ## Fix - `ports.websecure.port: 443` — Traefik now binds directly on 443 - `securityContext.capabilities.add: [NET_BIND_SERVICE]` — allows a non-root process to bind to privileged ports (<1024) The Service `exposedPort` stays at `443`, so external connectivity is unchanged. All existing Gateway listeners (`port: 443`) are correct as-is. Applies to both internal and external Traefik instances. ## Test plan - [ ] Traefik pods restart cleanly - [ ] `kubectl get gateway -A` shows listeners as `Programmed: True` - [ ] `https://rancher.k8s.syd1.au.unkin.net` (already merged) is reachable Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/138 --- .../au-syd1/traefik-system/values-external.yaml | 13 +++++++++++++ .../au-syd1/traefik-system/values-internal.yaml | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml index ea56707..950a35f 100644 --- a/apps/overlays/au-syd1/traefik-system/values-external.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -82,4 +82,17 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + web: + port: 80 + websecure: + port: 443 + enabled: true diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 172827e..3c28466 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -82,4 +82,17 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + web: + port: 80 + websecure: + port: 443 + enabled: true