From 44cc3d847dd99dadfa889a2107662858b83a23c8 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:31:58 +1000 Subject: [PATCH 1/2] fix(traefik): listen on port 443 directly for Gateway API compatibility Traefik matches Gateway listener ports against entryPoint internal ports. websecure was on 8443 so port 443 listeners were rejected as PortUnavailable. Change websecure to listen on 443 and add NET_BIND_SERVICE capability to allow binding to privileged ports as a non-root user. --- .../au-syd1/traefik-system/values-external.yaml | 11 +++++++++++ .../au-syd1/traefik-system/values-internal.yaml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml index ea56707..bf8724e 100644 --- a/apps/overlays/au-syd1/traefik-system/values-external.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -82,4 +82,15 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + websecure: + port: 443 + enabled: true diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 172827e..5fc2de6 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -82,4 +82,15 @@ podSecurityContext: seccompProfile: type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + add: [NET_BIND_SERVICE] + readOnlyRootFilesystem: true + +ports: + websecure: + port: 443 + enabled: true -- 2.47.3 From 587743a305dca1381918a9d1ad9eece8dca42762 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:42:03 +1000 Subject: [PATCH 2/2] fix(traefik): also move web entryPoint to port 80 --- apps/overlays/au-syd1/traefik-system/values-external.yaml | 2 ++ apps/overlays/au-syd1/traefik-system/values-internal.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml index bf8724e..950a35f 100644 --- a/apps/overlays/au-syd1/traefik-system/values-external.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -90,6 +90,8 @@ securityContext: readOnlyRootFilesystem: true ports: + web: + port: 80 websecure: port: 443 diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 5fc2de6..3c28466 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -90,6 +90,8 @@ securityContext: readOnlyRootFilesystem: true ports: + web: + port: 80 websecure: port: 443 -- 2.47.3