From 44cc3d847dd99dadfa889a2107662858b83a23c8 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:31:58 +1000 Subject: [PATCH] fix(traefik): listen on port 443 directly for Gateway API compatibility Traefik matches Gateway listener ports against entryPoint internal ports. websecure was on 8443 so port 443 listeners were rejected as PortUnavailable. Change websecure to listen on 443 and add NET_BIND_SERVICE capability to allow binding to privileged ports as a non-root user. --- .../au-syd1/traefik-system/values-external.yaml | 11 +++++++++++ .../au-syd1/traefik-system/values-internal.yaml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml index ea56707..bf8724e 100644 --- a/apps/overlays/au-syd1/traefik-system/values-external.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -82,4 +82,15 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + websecure: + port: 443 + enabled: true diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 172827e..5fc2de6 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -82,4 +82,15 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + websecure: + port: 443 + enabled: true