From d4764ebcff0ad5c3b4d3dfaee563429ce07d4e87 Mon Sep 17 00:00:00 2001
From: UncleGedd <42304551+UncleGedd@users.noreply.github.com>
Date: Tue, 1 Oct 2024 12:36:33 -0500
Subject: [PATCH] feat(api): use tls when running locally (#405)

Co-authored-by: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com>
---
 .gitignore                      |   4 ++
 .pre-commit-config.yaml         |   1 +
 hack/certs/README.md            |   5 ++
 hack/certs/cert.pem             | 102 ++++++++++++++++++++++++++++++++
 hack/certs/key.pem              |  28 +++++++++
 main.go                         |  44 ++++++++++++--
 pkg/api/start.go                |  42 +++++++------
 pkg/test/api_test.go            |   2 +-
 ui/playwright.config.apiauth.ts |   4 +-
 ui/playwright.config.ts         |  10 +++-
 ui/vite.config.ts               |   5 +-
 11 files changed, 216 insertions(+), 31 deletions(-)
 create mode 100644 hack/certs/README.md
 create mode 100644 hack/certs/cert.pem
 create mode 100644 hack/certs/key.pem

diff --git a/.gitignore b/.gitignore
index c9263509..b8c00941 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,7 @@ tmp/
 
 *.pem
 .github/test-infra/**/.terraform*
+
+# Allow certs in hack/certs
+!hack/certs/cert.pem
+!hack/certs/key.pem
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1e31e5fb..cfed03c5 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,6 +12,7 @@ repos:
         args:
           - "--allow-missing-credentials"
       - id: detect-private-key
+        exclude: 'hack/certs/key.pem'
       - id: end-of-file-fixer
         exclude_types:
           - json
diff --git a/hack/certs/README.md b/hack/certs/README.md
new file mode 100644
index 00000000..dbd73945
--- /dev/null
+++ b/hack/certs/README.md
@@ -0,0 +1,5 @@
+# Certs
+
+The certs in this directory are primarily used for dev'ing on UDS with HTTPS. They are also being used to enable TLS when running UDS Runtime locally (such as when doing `uds ui`).
+
+The certs are not sensitive and were taken from the UDS Core repo [here](https://github.com/defenseunicorns/uds-core/blob/main/src/istio/values/config-tenant.yaml); specifically these are the default certs for the Istio tenant gateway.
diff --git a/hack/certs/cert.pem b/hack/certs/cert.pem
new file mode 100644
index 00000000..8173d4be
--- /dev/null
+++ b/hack/certs/cert.pem
@@ -0,0 +1,102 @@
+-----BEGIN CERTIFICATE-----
+MIIGJTCCBQ2gAwIBAgIRAOdpAaehw6DVJ36q7EuGM6owDQYJKoZIhvcNAQELBQAw
+gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
+BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
+AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
+QTAeFw0yMzEwMTcwMDAwMDBaFw0yNDExMTYyMzU5NTlaMBQxEjAQBgNVBAMMCSou
+dWRzLmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJghSe/r1qIG
+7ReGnwIwZVc2jBRxxpCdvMYORz66plKm/9+9f0Ud0xcymfUaLGWe9k2veeRBPbY6
+GJHyjdxup/sMpaCWBLY7vnmopodKmnzsGY9fj48zxBCvEChmylI35Hb8vyoYlhL+
+k7klZEOJHbXoDW2pQnBugthvVuZmmckkGhWHjyv2l5gf5SDJRQrsPY7KAv+Exr7Z
+u9+Dsm4YACSjF7XZwv3FVl0MbQhtbFTkQN0RSG8yTZ8LTFCyvC3Hbh291u/cyo+v
+qUwWfbCGYk3GJko4xj8bdl6qih5hw0Gt4o9TjS+nZpAL01XbCfKO0/HCOr+cM6Au
+dnVm5zUz8k0CAwEAAaOCAvQwggLwMB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF
+4bgBjWHhMB0GA1UdDgQWBBQYS8SI7Hqw/LUjkp+I36ChMkJjbzAOBgNVHQ8BAf8E
+BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRw
+czovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBP
+BggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9t
+YWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0
+cDovL29jc3Auc2VjdGlnby5jb20wHQYDVR0RBBYwFIIJKi51ZHMuZGV2ggd1ZHMu
+ZGV2MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgB2/4g/Crb7lVHCYcz1h7o0
+tKTNuyncaEIKn+ZnTFo6dAAAAYs8UaCDAAAEAwBHMEUCIG9mn+DGpZufRylyaJRN
+2UaPnNah7cm0MiYVnnWas6e6AiEA8r2LdHNRXGZf/CM8imbSzSvylQl4uaCCSGPg
+erG1WrkAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYs8UaDc
+AAAEAwBHMEUCIQCHLoL2/tehz3XTvopX5emHiCyqbA2u+A1AqMeedU660gIgKKg0
+RmCzdqkNdzoMpgDoEgEJao2U8Yu8JXakDhoUAlwAdgDuzdBk1dsazsVct520zROi
+ModGfLzs3sNRSFlGcR+1mwAAAYs8UaEBAAAEAwBHMEUCIHdsOtLkRKq6APeyGuil
+RxL/o3zCKqSOU8joJTlOPy22AiEAoFytoFqYeNMPJ+8dGQynl4GfmdAq2+fPoxeQ
+zhrTKj8wDQYJKoZIhvcNAQELBQADggEBAJ8rXPgjtsCTFCksdJrtbvJ+cUBObUPG
+gOBNQJ6tsdkGCu6LDI6e++Tot7CBB2MR48Pi3CI6n/KjMIM4bx8GvUnKUo9sKtbB
+ZUBPI7/uZyrE+lnFqOSgz4pAVsWKbQcuGJpBzpTIZGSPORf8dzWmBt+ptmiv1o2h
+5l3xX+P3L9cRbIjNUwuuLwHcyVRxfuwCOPHa/qYNMW+f1nEoiYdm/knOtYrVy/F3
+7tf+Oys2F2fyix5JumbCp+SO5yj/WvV282sCKVZKzdg8FJWupubd+frO6dejPlTG
+koPDwo8RzJ4jTp1cWt5l4R1k1qluie+wh9sNOKlBVXFHSVS7H1Cnf90=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
+MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
+BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
+ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
+VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
+TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
+eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
+oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
+Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
+uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
+BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
++ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
+CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
+LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
+BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
+bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
+L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
+ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
+7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
+H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
+RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
+xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
+sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
+l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
+6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
+LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
+yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
+00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
+MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
+VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
+AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
+MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
+MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
+ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
+s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
+vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
+Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
+IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
+tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
+xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
+icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
+D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
+WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
+5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
+KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
+EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
+ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
+BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
+L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
+A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
+CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
+zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
+vGp4z7h/jnZymQyd/teRCBaho1+V
+-----END CERTIFICATE-----
diff --git a/hack/certs/key.pem b/hack/certs/key.pem
new file mode 100644
index 00000000..55fd39ae
--- /dev/null
+++ b/hack/certs/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCYIUnv69aiBu0X
+hp8CMGVXNowUccaQnbzGDkc+uqZSpv/fvX9FHdMXMpn1GixlnvZNr3nkQT22OhiR
+8o3cbqf7DKWglgS2O755qKaHSpp87BmPX4+PM8QQrxAoZspSN+R2/L8qGJYS/pO5
+JWRDiR216A1tqUJwboLYb1bmZpnJJBoVh48r9peYH+UgyUUK7D2OygL/hMa+2bvf
+g7JuGAAkoxe12cL9xVZdDG0IbWxU5EDdEUhvMk2fC0xQsrwtx24dvdbv3MqPr6lM
+Fn2whmJNxiZKOMY/G3ZeqooeYcNBreKPU40vp2aQC9NV2wnyjtPxwjq/nDOgLnZ1
+Zuc1M/JNAgMBAAECggEARDitbQOwYUHE4gdzWCp2z7j88ZAiMSkjhhfSGE3gl3Ef
+jujuYYLh7mW5SAKgRUQXhTf7bAJb19POv+hreJ5BA2KlBdIws74wCWO5pjMs+3dv
+cO20Nc5LjwXKs6uA8ITzFe77FTgoWMVEXsNnZqffJHu3ReWhD0VntQKdED6TmXC/
+nvBA4pvGDeA/Gd5e0kec77SNxAcJIs0ltnZ/Dcm18Y6d1WY7ljL5k4z2JTpXZcBo
+bm/BTcA9wXAhQUAC5YJix7E9Js2FvAHdxU5jAXQk0o3vI4WgByBMc9neGg/R9Hve
+25J/dPJpIYGxq2ywyKDZxhxmQc+uvl53rmXsbHd+6wKBgQDJXU4l/fJoci5PLqAJ
+hL6jNugvNRKZXwFCc/4X0R/xdWkD3OX5IukPc7+bCcpoBgzuAqDqcxNek+03m5P6
+THj6fthzYHrDZy5AhzmH9l5NjipJwltqBIDEOH0Dlv1/qF+zfIgbA8VJ0MZRKcSk
+JbfeKg1Ujl7ACUUJYIwR7zdGqwKBgQDBaC3qFsribIt3n5SddL6UhHniUKSlHs9R
+wEG43wyx8d8AIYLOz9USKOVS24iALRkUDR6xyzTDMDnC8BarFHc12UzoLtDVyUw+
+/u9urNdTu6kjmdCe3xnbWDaKl82XqGTH0Yt/NRHZm0s/So7xFqbvYM6PzruCwRLY
+M39uFrGK5wKBgEhTz2IuGQgTGzct1CYXHDKb4kIymf+k9FreNwJvBz4/ofzVN3WJ
+aJU4SjZyCdXbdoF3SD1uICL0l1xF8Z0SItI3BaBLo0zUnvRmne+MOss4qU/dE+C8
+xVO1xpGnhl54KAfcTzcE37Rn3RQCILOlKKoQCMG6caYgrj90AlvexMgJAoGBAIJA
+DuvffbMPNr3REt0XimGq9gqcFMW/AhAkUh6W2I3ePjhwWQ++l9grAoXSoxLvTDxc
+uZczKs1o5P2LgzikB8SUG18iaDIR5u9l8QmwDTOu5jG7nOvhhCBcQB8GLMc9+OE5
+FaENtH/APeTZ6Xojrzj3ESV4LH/aVz6TL/aMAfVxAoGBAKSiEif4b+M7pSo95fzJ
+xjzp03hkcZ0JreU1DOyIZi9hfttgzvkLnI+KN82500fFhNGndXsWFDC5tYHQmFCh
+UEX4Co+Z1iGEfi3KRMarb90LhMJziaUmT9Ufa/DiuoklwgP+v6DqdBB0zhMzDZBz
+YyfzHvCdJsBCP0WYvMqaejeO
+-----END PRIVATE KEY-----
diff --git a/main.go b/main.go
index 0abfbf9c..154c8915 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"embed"
 	"log"
 	"net/http"
@@ -13,18 +14,51 @@ import (
 //go:embed ui/build/*
 var assets embed.FS
 
+//go:embed hack/certs/cert.pem
+var localCert []byte
+
+//go:embed hack/certs/key.pem
+var localKey []byte
+
 func main() {
 	message.SetLogLevel(message.DebugLevel)
-	r, err := api.Setup(&assets)
+
+	r, inCluster, err := api.Setup(&assets)
 	if err != nil {
 		// Log the error and exit
 		message.WarnErr(err, "failed to start the API server")
 		os.Exit(1)
 	}
-	log.Println("Starting server on :8080")
+
 	//nolint:gosec,govet
-	if err = http.ListenAndServe(":8080", r); err != nil {
-		message.WarnErrf(err, "server failed to start: %s", err.Error())
-		os.Exit(1)
+	if inCluster {
+		log.Println("Starting server on :8080")
+
+		if err = http.ListenAndServe(":8080", r); err != nil {
+			message.WarnErrf(err, "server failed to start: %s", err.Error())
+			os.Exit(1)
+		}
+	} else {
+		// create tls config from embedded cert and key
+		cert, err := tls.X509KeyPair(localCert, localKey)
+		if err != nil {
+			log.Fatalf("Failed to load embedded certificate: %v", err)
+		}
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}
+
+		// Create a server with TLS config
+		server := &http.Server{
+			Addr:      ":8443",
+			Handler:   r,
+			TLSConfig: tlsConfig,
+		}
+
+		log.Println("Starting server on :8443")
+		if err = server.ListenAndServeTLS("", ""); err != nil {
+			message.WarnErrf(err, "server failed to start: %s", err.Error())
+			os.Exit(1)
+		}
 	}
 }
diff --git a/pkg/api/start.go b/pkg/api/start.go
index b2f7dc1a..dba0bd2b 100644
--- a/pkg/api/start.go
+++ b/pkg/api/start.go
@@ -38,16 +38,28 @@ type K8sResources struct {
 	cancel         context.CancelFunc
 }
 
+// Setup initializes the API server with the given assets
+// It returns the chi router, a boolean indicating if the server is running in cluster, and an error if any
 // @title UDS Runtime API
 // @version 0.0.0
 // @license.name Apache 2.0
 // @license.url http://www.apache.org/licenses/LICENSE-2.0.html
 // @BasePath /api/v1
 // @schemes http https
-func Setup(assets *embed.FS) (*chi.Mux, error) {
-	apiAuth, token, err := checkForLocalAuth()
+func Setup(assets *embed.FS) (*chi.Mux, bool, error) {
+	var apiAuth bool
+	var token string
+
+	inCluster, err := isRunningInCluster()
 	if err != nil {
-		return nil, fmt.Errorf("failed to set auth: %w", err)
+		return nil, inCluster, fmt.Errorf("failed to check if running in cluster: %w", err)
+	}
+
+	if !inCluster {
+		apiAuth, token, err = checkForLocalAuth()
+		if err != nil {
+			return nil, inCluster, fmt.Errorf("failed to set auth: %w", err)
+		}
 	}
 
 	authSVC := checkForClusterAuth()
@@ -73,24 +85,18 @@ func Setup(assets *embed.FS) (*chi.Mux, error) {
 	// Setup k8s resources
 	k8sResources, err := setupK8sResources()
 	if err != nil {
-		return nil, fmt.Errorf("failed to setup k8s resources: %w", err)
+		return nil, inCluster, fmt.Errorf("failed to setup k8s resources: %w", err)
 	}
 
 	// Create the disconnected channel
 	disconnected := make(chan error)
 
-	inCluster, err := isRunningInCluster()
-	if err != nil {
-		k8sResources.cancel()
-		return nil, fmt.Errorf("failed to check if running in cluster: %w", err)
-	}
-
 	// Get current k8s context and start the reconnection goroutine if NOT in cluster
 	if !inCluster {
 		currentCtx, currentCluster, err := k8s.GetCurrentContext()
 		if err != nil {
 			k8sResources.cancel()
-			return nil, fmt.Errorf("failed to get current context: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to get current context: %w", err)
 		}
 
 		k8sResources.currentCtx = currentCtx
@@ -230,15 +236,15 @@ func Setup(assets *embed.FS) (*chi.Mux, error) {
 	})
 
 	if apiAuth {
-		port := "8080"
-		ip := "127.0.0.1"
+		port := "8443"
+		host := "runtime-local.uds.dev"
 		colorYellow := "\033[33m"
 		colorReset := "\033[0m"
-		url := fmt.Sprintf("http://%s:%s?token=%s", ip, port, token)
+		url := fmt.Sprintf("https://%s:%s?token=%s", host, port, token)
 		log.Printf("%sRuntime API connection: %s%s", colorYellow, url, colorReset)
 		err := exec.LaunchURL(url)
 		if err != nil {
-			return nil, fmt.Errorf("failed to launch URL: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to launch URL: %w", err)
 		}
 	}
 
@@ -246,14 +252,14 @@ func Setup(assets *embed.FS) (*chi.Mux, error) {
 	if assets != nil {
 		staticFS, err := fs.Sub(assets, "ui/build")
 		if err != nil {
-			return nil, fmt.Errorf("failed to create static file system: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to create static file system: %w", err)
 		}
 
 		if err := fileServer(r, http.FS(staticFS)); err != nil {
-			return nil, fmt.Errorf("failed to serve static files: %w", err)
+			return nil, inCluster, fmt.Errorf("failed to serve static files: %w", err)
 		}
 	}
-	return r, nil
+	return r, inCluster, nil
 }
 
 func setupK8sResources() (*K8sResources, error) {
diff --git a/pkg/test/api_test.go b/pkg/test/api_test.go
index f92595a3..f41075bf 100644
--- a/pkg/test/api_test.go
+++ b/pkg/test/api_test.go
@@ -30,7 +30,7 @@ type TestRoute struct {
 
 func setup() (*chi.Mux, error) {
 	os.Setenv("API_AUTH_DISABLED", "true")
-	r, err := api.Setup(nil)
+	r, _, err := api.Setup(nil)
 	return r, err
 }
 
diff --git a/ui/playwright.config.apiauth.ts b/ui/playwright.config.apiauth.ts
index 05e4387f..34596993 100644
--- a/ui/playwright.config.apiauth.ts
+++ b/ui/playwright.config.apiauth.ts
@@ -2,7 +2,7 @@ import { defineConfig } from '@playwright/test'
 import { loadEnv } from 'vite'
 
 const { VITE_PORT_ENV } = loadEnv('dev', process.cwd())
-const port = VITE_PORT_ENV ?? '8080'
+const port = VITE_PORT_ENV ?? '8443'
 
 export default defineConfig({
   timeout: 60 * 1000,
@@ -11,7 +11,7 @@ export default defineConfig({
   retries: 0,
   testMatch: /(.+\.)?(test|spec)\.[jt]s/,
   use: {
-    baseURL: `http://localhost:${port}/`,
+    baseURL: `https://runtime-local.uds.dev:${port}/`,
   },
 })
 
diff --git a/ui/playwright.config.ts b/ui/playwright.config.ts
index 8632d28a..0e4bb463 100644
--- a/ui/playwright.config.ts
+++ b/ui/playwright.config.ts
@@ -2,12 +2,16 @@ import { defineConfig } from '@playwright/test'
 import { loadEnv } from 'vite'
 
 const { VITE_PORT_ENV } = loadEnv('dev', process.cwd())
-const port = VITE_PORT_ENV ?? '8080'
+
+// use port 8443 because by default we use TLS when running locally
+const port = VITE_PORT_ENV ?? '8443'
+const protocol = 'https'
+const host = 'runtime-local.uds.dev'
 
 export default defineConfig({
   webServer: {
     command: 'API_AUTH_DISABLED=true ../build/uds-runtime',
-    url: `http://localhost:${port}`,
+    url: `${protocol}://${host}:${port}`,
     reuseExistingServer: !process.env.CI,
   },
   timeout: 10 * 1000,
@@ -17,7 +21,7 @@ export default defineConfig({
   retries: process.env.CI ? 2 : 1,
   testMatch: /^(?!.*api-auth)(.+\.)?(test|spec)\.[jt]s$/,
   use: {
-    baseURL: `http://localhost:${port}/`,
+    baseURL: `${protocol}://${host}:${port}/`,
   },
 })
 
diff --git a/ui/vite.config.ts b/ui/vite.config.ts
index a02f669f..7267399d 100644
--- a/ui/vite.config.ts
+++ b/ui/vite.config.ts
@@ -9,12 +9,13 @@ export default defineConfig(({ mode }) => ({
   server: {
     proxy: {
       // Proxy all requests starting with /api to the go server
+      // noting that we ues https and 8443 because by default we use TLS when running locally
       '/api': {
-        target: 'http://localhost:8080',
+        target: 'https://runtime-local:8443',
         changeOrigin: true,
       },
       '/health': {
-        target: 'http://localhost:8080',
+        target: 'https://runtime-local:8443',
         changeOrigin: true,
       },
     },