Self-signed HTTPS in goosed breaks headless/server deployments (K8s health probes, reverse proxies) #7685
Description
Summary
#7126 unconditionally replaced the plain HTTP listener (tokio::net::TcpListener::bind) with axum_server::bind_rustls using a self-signed certificate. This breaks all headless/server deployments where goosed runs behind a reverse proxy, sidecar, or Kubernetes health probes that expect plain HTTP.
Impact
This change landed on main after v1.26.1 was tagged, so no released version is affected yet. However, the next tagged release will break every non-desktop deployment unless TLS is made opt-in.
Affected scenarios:
- Kubernetes health probes —
httpGetprobes send plain HTTP to the goosed port and receive a TLS handshake back, causingmalformed HTTP response "\x15\x03\x03\x00\x02\x022". Pods crash-loop as liveness probes fail. - Sidecar proxies (Envoy, etc.) — sidecars communicating with goosed over localhost expect plain HTTP
- Python/HTTP clients —
goose-python-clientand any HTTP client hittinghttp://localhost:7879gets a TLS error - Any deployment where goosed is not spawned by the Electron desktop app
Reproduction
- Build goosed from
main(any commit after feat: self-signed HTTPS for goosed server #7126) - Run
goosed agentwithGOOSE_SERVER__SECRET_KEYset - Observe log:
listening on https://0.0.0.0:7879 curl http://localhost:7879/statusfails with a TLS error
Context
We discovered this while deploying a canary build in our Slack bot infrastructure. Our branch was based on main rather than v1.26.1, and every pod crash-looped because K8s liveness probes couldn't reach the /status endpoint over plain HTTP.
The self-signed TLS feature makes sense for the desktop app (Electron pins the cert fingerprint via the GOOSED_CERT_FINGERPRINT stdout output). But it should not be the only mode — server/headless deployments need plain HTTP.