fix(traefik): listen on port 443 directly for Gateway API compatibility #138

Merged
unkinben merged 2 commits from benvin/fix-gateway-listener-port into main 2026-05-23 00:44:14 +10:00
Owner

Problem

Gateway listeners with port: 443 were rejected with PortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS".

Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's exposedPort. The websecure entryPoint was configured on port 8443, so port 443 listeners had no match.

Fix

  • ports.websecure.port: 443 — Traefik now binds directly on 443
  • securityContext.capabilities.add: [NET_BIND_SERVICE] — allows a non-root process to bind to privileged ports (<1024)

The Service exposedPort stays at 443, so external connectivity is unchanged. All existing Gateway listeners (port: 443) are correct as-is.

Applies to both internal and external Traefik instances.

Test plan

  • Traefik pods restart cleanly
  • kubectl get gateway -A shows listeners as Programmed: True
  • https://rancher.k8s.syd1.au.unkin.net (already merged) is reachable
## Problem Gateway listeners with `port: 443` were rejected with `PortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS"`. Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's `exposedPort`. The `websecure` entryPoint was configured on port `8443`, so port `443` listeners had no match. ## Fix - `ports.websecure.port: 443` — Traefik now binds directly on 443 - `securityContext.capabilities.add: [NET_BIND_SERVICE]` — allows a non-root process to bind to privileged ports (<1024) The Service `exposedPort` stays at `443`, so external connectivity is unchanged. All existing Gateway listeners (`port: 443`) are correct as-is. Applies to both internal and external Traefik instances. ## Test plan - [ ] Traefik pods restart cleanly - [ ] `kubectl get gateway -A` shows listeners as `Programmed: True` - [ ] `https://rancher.k8s.syd1.au.unkin.net` (already merged) is reachable
unkinben added 1 commit 2026-05-23 00:32:11 +10:00
fix(traefik): listen on port 443 directly for Gateway API compatibility
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
44cc3d847d
Traefik matches Gateway listener ports against entryPoint internal ports.
websecure was on 8443 so port 443 listeners were rejected as PortUnavailable.

Change websecure to listen on 443 and add NET_BIND_SERVICE capability to
allow binding to privileged ports as a non-root user.
unkinben added 1 commit 2026-05-23 00:42:05 +10:00
fix(traefik): also move web entryPoint to port 80
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
587743a305
unkinben merged commit 0940cc20f8 into main 2026-05-23 00:44:14 +10:00
unkinben deleted branch benvin/fix-gateway-listener-port 2026-05-23 00:44:14 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#138