feat: configurable tls port

api/crds/manifests/gateway.openmcp.cloud_gatewayserviceconfigs.yaml

@@ -156,9 +156,20 @@ spec:
                 required:
                 - chart
                 type: object
+              gateway:
+                description: Gateway configuration.
+                properties:
+                  tlsPort:
+                    default: 9443
+                    description: TLSPort is the port on which the gateway will listen
+                      for TLS traffic.
+                    format: int32
+                    type: integer
+                type: object
             required:
             - dns
             - envoyGateway
+            - gateway
             type: object
         type: object
     served: true

api/gateway/v1alpha1/config_types.go

@@ -13,6 +13,9 @@ type GatewayServiceConfigSpec struct {
 	// Clusters that should be included in the gateway configuration.
 	Clusters []ClusterTerm `json:"clusters,omitempty"`
 
+	// Gateway configuration.
+	Gateway GatewayConfig `json:"gateway"`
+
 	// DNS configuration.
 	DNS DNSConfig `json:"dns"`
 }
@@ -88,6 +91,12 @@ type ImagesConfig struct {
 	ImagePullSecrets []meta.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
+type GatewayConfig struct {
+	// TLSPort is the port on which the gateway will listen for TLS traffic.
+	// +kubebuilder:default=9443
+	TLSPort int32 `json:"tlsPort,omitempty"`
+}
+
 type DNSConfig struct {
 	// BaseDomain is the domain from which subdomains will be derived. Example: dev.openmcp.example.com.
 	// +kubebuilder:validation:Required

internal/controllers/cluster/controller.go

@@ -228,6 +228,7 @@ func (r *ClusterReconciler) buildGatewayManager(ctx context.Context, req reconci
 	gw := &envoy.Gateway{
 		Cluster:        c,
 		EnvoyConfig:    r.Config.Spec.EnvoyGateway,
+		GatewayConfig:  r.Config.Spec.Gateway,
 		DNSConfig:      r.Config.Spec.DNS,
 		PlatformClient: r.PlatformCluster.Client(),
 		ClusterClient:  access.Client(),

pkg/envoy/config.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strconv"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -27,6 +28,7 @@ const (
 	gatewayClassName     = "envoy-gateway"
 	gatewayName          = "default"
 	gatewayNamespace     = "openmcp-system"
+	tlsPortAnnotation    = "gateway.openmcp.cloud/tls-port"
 	baseDomainAnnotation = "dns.openmcp.cloud/base-domain"
 )
 
@@ -102,7 +104,7 @@ func (g *Gateway) reconcileGatewayFunc(obj *gatewayv1.Gateway) func() error {
 		obj.Spec.Listeners = []gatewayv1.Listener{
 			{
 				Name:     "tls",
-				Port:     9443,
+				Port:     g.getTLSPort(),
 				Protocol: gatewayv1.TLSProtocolType,
 				TLS: &gatewayv1.ListenerTLSConfig{
 					Mode: ptr.To(gatewayv1.TLSModePassthrough),
@@ -124,6 +126,7 @@ func (g *Gateway) reconcileGatewayFunc(obj *gatewayv1.Gateway) func() error {
 		}
 
 		baseDomain := g.generateBaseDomain()
+		metav1.SetMetaDataAnnotation(&obj.ObjectMeta, tlsPortAnnotation, strconv.Itoa(int(g.getTLSPort())))
 		metav1.SetMetaDataAnnotation(&obj.ObjectMeta, baseDomainAnnotation, baseDomain)
 
 		return nil
@@ -134,6 +137,13 @@ func (g *Gateway) generateBaseDomain() string {
 	return fmt.Sprintf("%s.%s.%s", g.Cluster.Name, g.Cluster.Namespace, g.DNSConfig.BaseDomain)
 }
 
+func (g *Gateway) getTLSPort() int32 {
+	if g.GatewayConfig.TLSPort != 0 {
+		return g.GatewayConfig.TLSPort
+	}
+	return 9443
+}
+
 // ----- EnvoyProxy -----
 
 func getEnvoyProxy() *unstructured.Unstructured {

pkg/envoy/deployment.go

@@ -30,6 +30,7 @@ const (
 type Gateway struct {
 	Cluster        *clustersv1alpha1.Cluster
 	EnvoyConfig    v1alpha1.EnvoyGatewayConfig
+	GatewayConfig  v1alpha1.GatewayConfig
 	DNSConfig      v1alpha1.DNSConfig
 	PlatformClient client.Client
 	ClusterClient  client.Client