Trying to enable TLS port on ambassador using helm chart's service.annotations option. However it is either turning into incorrect config (where tls context is attached to cleartext port) or trying to bind 80 and 443 ports.

I've ambassador as a sub chart to my main chart. And I've defined values for this subchart as follows -

ambassador:
  replicaCount: 1
  service:
    annotations: {"getambassador.io/config": "---\napiVersion: ambassador/v1\nkind: Module\nname: tls\nconfig:\n  server:\n    enabled: true\n    secret: ambassador-certs\n    redirect_cleartext_from: 8080\n"}

This results in binding the listener to port 443 always ignoring the actual tls target port (8443).

requirements.yaml look like this

dependencies:
- name: ambassador
  version: 2.0.*
  repository: "@stable"

Checking the logs reveal that the listener is being created on port 443 and fails as it is not being run as root. If I keep both ambassador and tls modules, then the tls context is always attached to port 8080 and making it a tls port. /ambassador/envoy/envoy.json has always one listener (8080). The chart being is used is ambassador-2.0.2. Any idea why this behavior?