feat(api): use tls when running locally (#405)

Co-authored-by: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com>

.gitignore

@@ -33,3 +33,7 @@ tmp/
 
 *.pem
 .github/test-infra/**/.terraform*
+
+# Allow certs in hack/certs
+!hack/certs/cert.pem
+!hack/certs/key.pem

.pre-commit-config.yaml

@@ -12,6 +12,7 @@ repos:
         args:
           - "--allow-missing-credentials"
       - id: detect-private-key
+        exclude: 'hack/certs/key.pem'
       - id: end-of-file-fixer
         exclude_types:
           - json

hack/certs/README.md

@@ -0,0 +1,5 @@
+# Certs
+
+The certs in this directory are primarily used for dev'ing on UDS with HTTPS. They are also being used to enable TLS when running UDS Runtime locally (such as when doing `uds ui`).
+
+The certs are not sensitive and were taken from the UDS Core repo [here](https://github.com/defenseunicorns/uds-core/blob/main/src/istio/values/config-tenant.yaml); specifically these are the default certs for the Istio tenant gateway.

hack/certs/cert.pem

@@ -0,0 +1,102 @@
+-----BEGIN CERTIFICATE-----
+MIIGJTCCBQ2gAwIBAgIRAOdpAaehw6DVJ36q7EuGM6owDQYJKoZIhvcNAQELBQAw
+gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
+BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
+AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
+QTAeFw0yMzEwMTcwMDAwMDBaFw0yNDExMTYyMzU5NTlaMBQxEjAQBgNVBAMMCSou
+dWRzLmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJghSe/r1qIG
+7ReGnwIwZVc2jBRxxpCdvMYORz66plKm/9+9f0Ud0xcymfUaLGWe9k2veeRBPbY6
+GJHyjdxup/sMpaCWBLY7vnmopodKmnzsGY9fj48zxBCvEChmylI35Hb8vyoYlhL+
+k7klZEOJHbXoDW2pQnBugthvVuZmmckkGhWHjyv2l5gf5SDJRQrsPY7KAv+Exr7Z
+u9+Dsm4YACSjF7XZwv3FVl0MbQhtbFTkQN0RSG8yTZ8LTFCyvC3Hbh291u/cyo+v
+qUwWfbCGYk3GJko4xj8bdl6qih5hw0Gt4o9TjS+nZpAL01XbCfKO0/HCOr+cM6Au
+dnVm5zUz8k0CAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF
+4bgBjWHhMB0GA1UdDgQWBBQYS8SI7Hqw/LUjkp+I36ChMkJjbzAOBgNVHQ8BAf8E
+BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRw
+czovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBP
+BggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9t
+YWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0
+cDovL29jc3Auc2VjdGlnby5jb20wHQYDVR0RBBYwFIIJKi51ZHMuZGV2ggd1ZHMu
+ZGV2MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgB2/4g/Crb7lVHCYcz1h7o0
+tKTNuyncaEIKn+ZnTFo6dAAAAYs8UaCDAAAEAwBHMEUCIG9mn+DGpZufRylyaJRN
+2UaPnNah7cm0MiYVnnWas6e6AiEA8r2LdHNRXGZf/CM8imbSzSvylQl4uaCCSGPg
+erG1WrkAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYs8UaDc
+AAAEAwBHMEUCIQCHLoL2/tehz3XTvopX5emHiCyqbA2u+A1AqMeedU660gIgKKg0
+RmCzdqkNdzoMpgDoEgEJao2U8Yu8JXakDhoUAlwAdgDuzdBk1dsazsVct520zROi
+ModGfLzs3sNRSFlGcR+1mwAAAYs8UaEBAAAEAwBHMEUCIHdsOtLkRKq6APeyGuil
+RxL/o3zCKqSOU8joJTlOPy22AiEAoFytoFqYeNMPJ+8dGQynl4GfmdAq2+fPoxeQ
+zhrTKj8wDQYJKoZIhvcNAQELBQADggEBAJ8rXPgjtsCTFCksdJrtbvJ+cUBObUPG
+gOBNQJ6tsdkGCu6LDI6e++Tot7CBB2MR48Pi3CI6n/KjMIM4bx8GvUnKUo9sKtbB
+ZUBPI7/uZyrE+lnFqOSgz4pAVsWKbQcuGJpBzpTIZGSPORf8dzWmBt+ptmiv1o2h
+5l3xX+P3L9cRbIjNUwuuLwHcyVRxfuwCOPHa/qYNMW+f1nEoiYdm/knOtYrVy/F3
+7tf+Oys2F2fyix5JumbCp+SO5yj/WvV282sCKVZKzdg8FJWupubd+frO6dejPlTG
+koPDwo8RzJ4jTp1cWt5l4R1k1qluie+wh9sNOKlBVXFHSVS7H1Cnf90=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
+MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
+BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
+ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
+VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
+TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
+eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
+oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
+Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
+uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
+BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
++ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
+CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
+LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
+BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
+bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
+L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
+ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
+7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
+H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
+RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
+xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
+sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
+l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
+6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
+LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
+yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
+00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
+-----END CERTIFICATE-----

hack/certs/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCYIUnv69aiBu0X
+hp8CMGVXNowUccaQnbzGDkc+uqZSpv/fvX9FHdMXMpn1GixlnvZNr3nkQT22OhiR
+8o3cbqf7DKWglgS2O755qKaHSpp87BmPX4+PM8QQrxAoZspSN+R2/L8qGJYS/pO5
+JWRDiR216A1tqUJwboLYb1bmZpnJJBoVh48r9peYH+UgyUUK7D2OygL/hMa+2bvf
+g7JuGAAkoxe12cL9xVZdDG0IbWxU5EDdEUhvMk2fC0xQsrwtx24dvdbv3MqPr6lM
+Fn2whmJNxiZKOMY/G3ZeqooeYcNBreKPU40vp2aQC9NV2wnyjtPxwjq/nDOgLnZ1
+Zuc1M/JNAgMBAAECggEARDitbQOwYUHE4gdzWCp2z7j88ZAiMSkjhhfSGE3gl3Ef
+jujuYYLh7mW5SAKgRUQXhTf7bAJb19POv+hreJ5BA2KlBdIws74wCWO5pjMs+3dv
+cO20Nc5LjwXKs6uA8ITzFe77FTgoWMVEXsNnZqffJHu3ReWhD0VntQKdED6TmXC/
+nvBA4pvGDeA/Gd5e0kec77SNxAcJIs0ltnZ/Dcm18Y6d1WY7ljL5k4z2JTpXZcBo
+bm/BTcA9wXAhQUAC5YJix7E9Js2FvAHdxU5jAXQk0o3vI4WgByBMc9neGg/R9Hve
+25J/dPJpIYGxq2ywyKDZxhxmQc+uvl53rmXsbHd+6wKBgQDJXU4l/fJoci5PLqAJ
+hL6jNugvNRKZXwFCc/4X0R/xdWkD3OX5IukPc7+bCcpoBgzuAqDqcxNek+03m5P6
+THj6fthzYHrDZy5AhzmH9l5NjipJwltqBIDEOH0Dlv1/qF+zfIgbA8VJ0MZRKcSk
+JbfeKg1Ujl7ACUUJYIwR7zdGqwKBgQDBaC3qFsribIt3n5SddL6UhHniUKSlHs9R
+wEG43wyx8d8AIYLOz9USKOVS24iALRkUDR6xyzTDMDnC8BarFHc12UzoLtDVyUw+
+/u9urNdTu6kjmdCe3xnbWDaKl82XqGTH0Yt/NRHZm0s/So7xFqbvYM6PzruCwRLY
+M39uFrGK5wKBgEhTz2IuGQgTGzct1CYXHDKb4kIymf+k9FreNwJvBz4/ofzVN3WJ
+aJU4SjZyCdXbdoF3SD1uICL0l1xF8Z0SItI3BaBLo0zUnvRmne+MOss4qU/dE+C8
+xVO1xpGnhl54KAfcTzcE37Rn3RQCILOlKKoQCMG6caYgrj90AlvexMgJAoGBAIJA
+DuvffbMPNr3REt0XimGq9gqcFMW/AhAkUh6W2I3ePjhwWQ++l9grAoXSoxLvTDxc
+uZczKs1o5P2LgzikB8SUG18iaDIR5u9l8QmwDTOu5jG7nOvhhCBcQB8GLMc9+OE5
+FaENtH/APeTZ6Xojrzj3ESV4LH/aVz6TL/aMAfVxAoGBAKSiEif4b+M7pSo95fzJ
+xjzp03hkcZ0JreU1DOyIZi9hfttgzvkLnI+KN82500fFhNGndXsWFDC5tYHQmFCh
+UEX4Co+Z1iGEfi3KRMarb90LhMJziaUmT9Ufa/DiuoklwgP+v6DqdBB0zhMzDZBz
+YyfzHvCdJsBCP0WYvMqaejeO
+-----END PRIVATE KEY-----

main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"embed"
 	"log"
 	"net/http"
@@ -13,18 +14,51 @@ import (
 //go:embed ui/build/*
 var assets embed.FS
 
+//go:embed hack/certs/cert.pem
+var localCert []byte
+
+//go:embed hack/certs/key.pem
+var localKey []byte
+
 func main() {
 	message.SetLogLevel(message.DebugLevel)
-	r, err := api.Setup(&assets)
+
+	r, inCluster, err := api.Setup(&assets)
 	if err != nil {
 		// Log the error and exit
 		message.WarnErr(err, "failed to start the API server")
 		os.Exit(1)
 	}
-	log.Println("Starting server on :8080")
+
 	//nolint:gosec,govet
-	if err = http.ListenAndServe(":8080", r); err != nil {
-		message.WarnErrf(err, "server failed to start: %s", err.Error())
-		os.Exit(1)
+	if inCluster {
+		log.Println("Starting server on :8080")
+
+		if err = http.ListenAndServe(":8080", r); err != nil {
+			message.WarnErrf(err, "server failed to start: %s", err.Error())
+			os.Exit(1)
+		}
+	} else {
+		// create tls config from embedded cert and key
+		cert, err := tls.X509KeyPair(localCert, localKey)
+		if err != nil {
+			log.Fatalf("Failed to load embedded certificate: %v", err)
+		}
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}
+
+		// Create a server with TLS config
+		server := &http.Server{
+			Addr:      ":8443",
+			Handler:   r,
+			TLSConfig: tlsConfig,
+		}
+
+		log.Println("Starting server on :8443")
+		if err = server.ListenAndServeTLS("", ""); err != nil {
+			message.WarnErrf(err, "server failed to start: %s", err.Error())
+			os.Exit(1)
+		}
 	}
 }

pkg/api/start.go

@@ -38,16 +38,28 @@ type K8sResources struct {
 	cancel         context.CancelFunc
 }
 
+// Setup initializes the API server with the given assets
+// It returns the chi router, a boolean indicating if the server is running in cluster, and an error if any
 // @title UDS Runtime API
 // @version 0.0.0
 // @license.name Apache 2.0
 // @license.url http://www.apache.org/licenses/LICENSE-2.0.html
 // @BasePath /api/v1
 // @schemes http https
-func Setup(assets *embed.FS) (*chi.Mux, error) {
-	apiAuth, token, err := checkForLocalAuth()
+func Setup(assets *embed.FS) (*chi.Mux, bool, error) {
+	var apiAuth bool
+	var token string
+
+	inCluster, err := isRunningInCluster()
 	if err != nil {
-		return nil, fmt.Errorf("failed to set auth: %w", err)
+		return nil, inCluster, fmt.Errorf("failed to check if running in cluster: %w", err)
+	}
+
+	if !inCluster {
+		apiAuth, token, err = checkForLocalAuth()
+		if err != nil {
+			return nil, inCluster, fmt.Errorf("failed to set auth: %w", err)
+		}
 	}
 
 	authSVC := checkForClusterAuth()
@@ -73,24 +85,18 @@ func Setup(assets *embed.FS) (*chi.Mux, error) {
 	// Setup k8s resources
 	k8sResources, err := setupK8sResources()
 	if err != nil {
-		return nil, fmt.Errorf("failed to setup k8s resources: %w", err)
+		return nil, inCluster, fmt.Errorf("failed to setup k8s resources: %w", err)
 	}
 
 	// Create the disconnected channel
 	disconnected := make(chan error)
 
-	inCluster, err := isRunningInCluster()
-	if err != nil {
-		k8sResources.cancel()
-		return nil, fmt.Errorf("failed to check if running in cluster: %w", err)
-	}
-
 	// Get current k8s context and start the reconnection goroutine if NOT in cluster
 	if !inCluster {
 		currentCtx, currentCluster, err := k8s.GetCurrentContext()
 		if err != nil {
 			k8sResources.cancel()
-			return nil, fmt.Errorf("failed to get current context: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to get current context: %w", err)
 		}
 
 		k8sResources.currentCtx = currentCtx
@@ -230,30 +236,30 @@ func Setup(assets *embed.FS) (*chi.Mux, error) {
 	})
 
 	if apiAuth {
-		port := "8080"
-		ip := "127.0.0.1"
+		port := "8443"
+		host := "runtime-local.uds.dev"
 		colorYellow := "\033[33m"
 		colorReset := "\033[0m"
-		url := fmt.Sprintf("http://%s:%s?token=%s", ip, port, token)
+		url := fmt.Sprintf("https://%s:%s?token=%s", host, port, token)
 		log.Printf("%sRuntime API connection: %s%s", colorYellow, url, colorReset)
 		err := exec.LaunchURL(url)
 		if err != nil {
-			return nil, fmt.Errorf("failed to launch URL: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to launch URL: %w", err)
 		}
 	}
 
 	// Serve static files from embed.FS
 	if assets != nil {
 		staticFS, err := fs.Sub(assets, "ui/build")
 		if err != nil {
-			return nil, fmt.Errorf("failed to create static file system: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to create static file system: %w", err)
 		}
 
 		if err := fileServer(r, http.FS(staticFS)); err != nil {
-			return nil, fmt.Errorf("failed to serve static files: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to serve static files: %w", err)
 		}
 	}
-	return r, nil
+	return r, inCluster, nil
 }
 
 func setupK8sResources() (*K8sResources, error) {

pkg/test/api_test.go

@@ -30,7 +30,7 @@ type TestRoute struct {
 
 func setup() (*chi.Mux, error) {
 	os.Setenv("API_AUTH_DISABLED", "true")
-	r, err := api.Setup(nil)
+	r, _, err := api.Setup(nil)
 	return r, err
 }
 

ui/playwright.config.apiauth.ts

@@ -2,7 +2,7 @@ import { defineConfig } from '@playwright/test'
 import { loadEnv } from 'vite'
 
 const { VITE_PORT_ENV } = loadEnv('dev', process.cwd())
-const port = VITE_PORT_ENV ?? '8080'
+const port = VITE_PORT_ENV ?? '8443'
 
 export default defineConfig({
   timeout: 60 * 1000,
@@ -11,7 +11,7 @@ export default defineConfig({
   retries: 0,
   testMatch: /(.+\.)?(test|spec)\.[jt]s/,
   use: {
-    baseURL: `http://localhost:${port}/`,
+    baseURL: `https://runtime-local.uds.dev:${port}/`,
   },
 })
 

ui/playwright.config.ts

@@ -2,12 +2,16 @@ import { defineConfig } from '@playwright/test'
 import { loadEnv } from 'vite'
 
 const { VITE_PORT_ENV } = loadEnv('dev', process.cwd())
-const port = VITE_PORT_ENV ?? '8080'
+
+// use port 8443 because by default we use TLS when running locally
+const port = VITE_PORT_ENV ?? '8443'
+const protocol = 'https'
+const host = 'runtime-local.uds.dev'
 
 export default defineConfig({
   webServer: {
     command: 'API_AUTH_DISABLED=true ../build/uds-runtime',
-    url: `http://localhost:${port}`,
+    url: `${protocol}://${host}:${port}`,
     reuseExistingServer: !process.env.CI,
   },
   timeout: 10 * 1000,
@@ -17,7 +21,7 @@ export default defineConfig({
   retries: process.env.CI ? 2 : 1,
   testMatch: /^(?!.*api-auth)(.+\.)?(test|spec)\.[jt]s$/,
   use: {
-    baseURL: `http://localhost:${port}/`,
+    baseURL: `${protocol}://${host}:${port}/`,
   },
 })
 

ui/vite.config.ts

@@ -9,12 +9,13 @@ export default defineConfig(({ mode }) => ({
   server: {
     proxy: {
       // Proxy all requests starting with /api to the go server
+      // noting that we ues https and 8443 because by default we use TLS when running locally
       '/api': {
-        target: 'http://localhost:8080',
+        target: 'https://runtime-local:8443',
         changeOrigin: true,
       },
       '/health': {
-        target: 'http://localhost:8080',
+        target: 'https://runtime-local:8443',
         changeOrigin: true,
       },
     },