fix(traefik): listen on port 443 directly for Gateway API compatibility #138
Reference in New Issue
Block a user
Delete Branch "benvin/fix-gateway-listener-port"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
Gateway listeners with
port: 443were rejected withPortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS".Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's
exposedPort. ThewebsecureentryPoint was configured on port8443, so port443listeners had no match.Fix
ports.websecure.port: 443— Traefik now binds directly on 443securityContext.capabilities.add: [NET_BIND_SERVICE]— allows a non-root process to bind to privileged ports (<1024)The Service
exposedPortstays at443, so external connectivity is unchanged. All existing Gateway listeners (port: 443) are correct as-is.Applies to both internal and external Traefik instances.
Test plan
kubectl get gateway -Ashows listeners asProgrammed: Truehttps://rancher.k8s.syd1.au.unkin.net(already merged) is reachable