Add 443 and 8443 as trusted ports for controller

2 files changed, 5 insertions, 2 deletions

diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
index 5060510be20..ca6865300ee 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java
@@ -224,8 +224,11 @@ public class NodeRepository extends AbstractComponent {
 
             case controller:
                 // Controllers:
-                // - port 4443 (HTTPS) from the world
+                // - port 4443 (HTTPS + Athenz) from the world
+                // - port 443+8443 (HTTPS + Okta) from the world. NOTE: controller host has 443->8443 iptable mapping.
                 trustedPorts.add(4443);
+                trustedPorts.add(443);
+                trustedPorts.add(8443);
                 break;
 
             default:
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
index 5d8bde960d8..e2f3df97314 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java
@@ -161,7 +161,7 @@ public class AclProvisioningTest {
         // Controllers and hosts all trust each other
         List<NodeAcl> controllerAcls = tester.nodeRepository().getNodeAcls(controllers.get(0), false);
         assertAcls(Collections.singletonList(controllers), controllerAcls);
-        assertEquals(ImmutableSet.of(22, 4443), controllerAcls.get(0).trustedPorts());
+        assertEquals(ImmutableSet.of(22, 4443, 443, 8443), controllerAcls.get(0).trustedPorts());
     }
 
     @Test