playwright: serve the test Vaultwarden over HTTPS

The bundled web vault refuses to submit registration and login
requests over plain HTTP, surfacing "Insecure URL not allowed. All
URLs must use HTTPS." in the UI. The Continue button is left
`bit-aria-disable=true` and click handlers are no-ops, which
manifests in tests as `locator.fill: timeout exceeded` deep into
createAccount — diagnosed via DOM dump showing the error banner.

Make the test Rocket server actually serve HTTPS:

- Generate a self-signed cert in the Vaultwarden runtime image
  (separate RUN layer from the apt install so cert tweaks don't
  bust the deps layer cache).
- Point `ROCKET_TLS` at the cert + key in test.env and the
  dev .env.template.
- Switch DOMAIN to `https://localhost:${ROCKET_PORT}`.
- Tell Playwright to ignore HTTPS errors on the self-signed cert
  (in both `playwright.config.ts` for test contexts and
  `global-utils.ts` for the manual context startVault uses to
  poll for vault readiness).

Self-signed + `ignoreHTTPSErrors` is the idiomatic Playwright pattern
for a local-only test target; importing a custom CA into each
browser's profile would be substantially more invasive (Firefox uses
NSS, Chromium has its own store) for no real-world fidelity gain.

playwright/.env.template

@@ -39,7 +39,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 ######################
 ROCKET_ADDRESS=0.0.0.0
 ROCKET_PORT=8000
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 I_REALLY_WANT_VOLATILE_STORAGE=true
 

playwright/compose/warden/Dockerfile

@@ -29,6 +29,18 @@ RUN mkdir /data && \
         openssl && \
     rm -rf /var/lib/apt/lists/*
 
+# Self-signed TLS cert for the test server. The bundled web vault refuses
+# to submit registration/login over HTTP ("Insecure URL not allowed");
+# Rocket needs a cert+key to serve HTTPS. Self-contained layer so cert
+# tweaks don't bust the apt-install layer above.
+RUN mkdir /certs && \
+    openssl req -x509 -nodes -newkey rsa:2048 \
+        -keyout /certs/key.pem \
+        -out /certs/cert.pem \
+        -days 3650 \
+        -subj "/CN=localhost" \
+        -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /

playwright/global-utils.ts

@@ -38,7 +38,7 @@ export async function waitFor(url: String, browser: Browser) {
 
     do {
         try {
-            context = await browser.newContext();
+            context = await browser.newContext({ ignoreHTTPSErrors: true });
             const page = await context.newPage();
             await page.waitForTimeout(500);
             const result = await page.goto(url);

playwright/playwright.config.ts

@@ -35,6 +35,7 @@ export default defineConfig({
         /* Base URL to use in actions like `await page.goto('/')`. */
         baseURL: process.env.DOMAIN,
         browserName: 'firefox',
+        ignoreHTTPSErrors: true,
         locale: 'en-GB',
         timezoneId: 'Europe/London',
 

playwright/test.env

@@ -52,7 +52,8 @@ DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM}
 # Vaultwarden Config #
 ######################
 ROCKET_PORT=8003
-DOMAIN=http://localhost:${ROCKET_PORT}
+ROCKET_TLS={certs="/certs/cert.pem",key="/certs/key.pem"}
+DOMAIN=https://localhost:${ROCKET_PORT}
 LOG_LEVEL=info,oidcwarden::sso=debug
 LOGIN_RATELIMIT_MAX_BURST=100
 ADMIN_TOKEN=admin