fix(traefik): listen on port 443 directly for Gateway API compatibility (#138)
## Problem Gateway listeners with `port: 443` were rejected with `PortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS"`. Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's `exposedPort`. The `websecure` entryPoint was configured on port `8443`, so port `443` listeners had no match. ## Fix - `ports.websecure.port: 443` — Traefik now binds directly on 443 - `securityContext.capabilities.add: [NET_BIND_SERVICE]` — allows a non-root process to bind to privileged ports (<1024) The Service `exposedPort` stays at `443`, so external connectivity is unchanged. All existing Gateway listeners (`port: 443`) are correct as-is. Applies to both internal and external Traefik instances. ## Test plan - [ ] Traefik pods restart cleanly - [ ] `kubectl get gateway -A` shows listeners as `Programmed: True` - [ ] `https://rancher.k8s.syd1.au.unkin.net` (already merged) is reachable Reviewed-on: #138
This commit was merged in pull request #138.
This commit is contained in:
@@ -82,4 +82,17 @@ podSecurityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: [ALL]
|
||||
add: [NET_BIND_SERVICE]
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
ports:
|
||||
web:
|
||||
port: 80
|
||||
websecure:
|
||||
port: 443
|
||||
|
||||
enabled: true
|
||||
|
||||
@@ -82,4 +82,17 @@ podSecurityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: [ALL]
|
||||
add: [NET_BIND_SERVICE]
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
ports:
|
||||
web:
|
||||
port: 80
|
||||
websecure:
|
||||
port: 443
|
||||
|
||||
enabled: true
|
||||
|
||||
Reference in New Issue
Block a user