diff --git a/k8s/helmfile/env/local/api.values.yaml.gotmpl b/k8s/helmfile/env/local/api.values.yaml.gotmpl
index 440a2cef..88ede835 100644
--- a/k8s/helmfile/env/local/api.values.yaml.gotmpl
+++ b/k8s/helmfile/env/local/api.values.yaml.gotmpl
@@ -2,7 +2,23 @@ image:
   tag: 10x.18.1
 
 ingress:
-  tls: null
+  tls:
+  - hosts:
+    - wbaas.localhost
+    secretName: wikibase-local-tls
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+  hosts:
+  {{- range .Values.services.app.ingressHosts }}
+  - host: {{ .host }}
+    paths:
+    {{- range .paths }}
+    - {{ . | quote }}
+    {{- end }}
+  {{- end }}
 
 platform:
   backendMwHost: mediawiki-139-app-backend.default.svc.cluster.local
diff --git a/k8s/helmfile/env/local/base.yaml b/k8s/helmfile/env/local/base.yaml
index c6a633ad..731be4ae 100644
--- a/k8s/helmfile/env/local/base.yaml
+++ b/k8s/helmfile/env/local/base.yaml
@@ -1,8 +1,7 @@
 ip: ""
 ingressHost: "*.wbaas.localhost"
-ingressNameSuffix: main
 forceSSL: false
-tls: false
+tls: true
 wbstack:
   subdomainSuffix: ".wbaas.localhost"
-  uiurl: http://wbaas.localhost
+  uiurl: https://wbaas.localhost
diff --git a/k8s/helmfile/env/local/certificates.values.yaml.gotmpl b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl
new file mode 100644
index 00000000..4ea7cf9b
--- /dev/null
+++ b/k8s/helmfile/env/local/certificates.values.yaml.gotmpl
@@ -0,0 +1,8 @@
+certificates:
+  - name: wikibase-local-tls
+    commonName: wbaas.localhost
+    dnsNames:
+      - '*.wbaas.localhost'
+      - 'wbaas.localhost'
+    secretName: wikibase-local-tls
+    issuerRef: selfsigned-cluster-issuer
diff --git a/k8s/helmfile/env/local/private.yaml b/k8s/helmfile/env/local/private.yaml
index 74d7661d..b0ef3416 100644
--- a/k8s/helmfile/env/local/private.yaml
+++ b/k8s/helmfile/env/local/private.yaml
@@ -4,7 +4,8 @@ gcsApiStaticBucket: 'something'
 
 # TODO move this (and many other things) out of private file...
 uiHostName: www.wbaas.localhost
-tlsSecret: wikibase-dev-tls
+tlsSecret: wikibase-local-tls
+ingressNameSuffix: wikibase-local
 
 services:
   queryservice:
@@ -13,8 +14,8 @@ services:
 
   app:
     mailer: smtp
-    url: http://www.wbaas.localhost
-    apiUrl: http://api.wbaas.localhost
+    url: https://www.wbaas.localhost
+    apiUrl: https://api.wbaas.localhost
     ingressHosts:
       - host: api.wbaas.localhost
         paths:
diff --git a/k8s/helmfile/env/local/ui.values.yaml.gotmpl b/k8s/helmfile/env/local/ui.values.yaml.gotmpl
index 8bfd1017..c538ee5b 100644
--- a/k8s/helmfile/env/local/ui.values.yaml.gotmpl
+++ b/k8s/helmfile/env/local/ui.values.yaml.gotmpl
@@ -6,7 +6,10 @@ ui:
   recaptchaSitekeySecretKey: site_key
 
 ingress:
-  tls: null
+  tls:
+  - hosts:
+    - {{ .Values.uiHostName }}
+    secretName: {{ .Values.tlsSecret }}
 
 resources:
   limits: