0940cc20f8
## Problem Gateway listeners with `port: 443` were rejected with `PortUnavailable: Cannot find entryPoint for Gateway: no matching entryPoint for port 443 and protocol "HTTPS"`. Traefik matches Gateway listener ports against its internal entryPoint ports (pod-level), not the Service's `exposedPort`. The `websecure` entryPoint was configured on port `8443`, so port `443` listeners had no match. ## Fix - `ports.websecure.port: 443` — Traefik now binds directly on 443 - `securityContext.capabilities.add: [NET_BIND_SERVICE]` — allows a non-root process to bind to privileged ports (<1024) The Service `exposedPort` stays at `443`, so external connectivity is unchanged. All existing Gateway listeners (`port: 443`) are correct as-is. Applies to both internal and external Traefik instances. ## Test plan - [ ] Traefik pods restart cleanly - [ ] `kubectl get gateway -A` shows listeners as `Programmed: True` - [ ] `https://rancher.k8s.syd1.au.unkin.net` (already merged) is reachable Reviewed-on: #138