Use secured hydra endpoints for PTs

[Praveen2112]

Description

Additional context and related issues

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

## Section
* Fix some things. ({issue}`issuenumber`)

Summary by Sourcery

Use secure HTTPS endpoints for Hydra in product tests and remove insecure HTTP settings.

Enhancements:

• Switch Hydra OAuth2 and OIDC endpoint URLs in all product-test Docker configurations from HTTP to HTTPS
• Remove the --dangerous-force-http flag and update the HydraIdentityProvider Java setup to use HTTPS for the issuer and client endpoint
• Update the login_and_consent_server Python script to default HYDRA_ADMIN_URL to HTTPS

Summary by Sourcery

Enforce HTTPS for Hydra OAuth2 endpoints across product-test environments and containers

Enhancements:

• Replace HTTP with HTTPS in OAuth2 issuer, auth, token, and JWKS URLs in all test environment config properties
• Update HydraIdentityProvider to use HTTPS for self-issuer URL and client-creation endpoint, and remove the insecure force-http flag
• Change the default HYDRA_ADMIN_URL in login_and_consent_server.py to use HTTPS

[sourcery-ai]

Reviewer's Guide

All Hydra endpoints in product tests now use secure HTTPS; insecure HTTP settings and flags have been removed to enforce secure communications.

File-Level Changes

Change	Details	Files
Switch Hydra OAuth2/OIDC endpoints in product-test Docker configuration to HTTPS	Replaced HTTP issuer URL with HTTPS Updated auth-url, token-url, and jwks-url to use HTTPS	testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2-authenticated-http-proxy/trino/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2-authenticated-https-proxy/trino/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2-http-proxy/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2-https-proxy/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2-refresh/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oauth2/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oidc-refresh/config.properties testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/singlenode-oidc/config.properties
Enforce HTTPS in HydraIdentityProvider and remove insecure HTTP flag	Changed URLS_SELF_ISSUER environment variable to use HTTPS Removed the --dangerous-force-http flag from the serve command Updated hydra client creation endpoint to HTTPS	testing/trino-product-tests-launcher/src/main/java/io/trino/tests/product/launcher/env/common/HydraIdentityProvider.java
Default HYDRA_ADMIN_URL to HTTPS in login_and_consent_server	Changed default HYDRA_ADMIN_URL to use https://hydra:4445	testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/common/hydra-identity-provider/login_and_consent_server.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider centralizing the Hydra base URL in a shared variable or template to avoid repeating the protocol change across all config files.
• Verify that the Hydra container is actually serving TLS—add the appropriate --tls-cert and --tls-key flags to the serve all command instead of relying on defaults.
• Update the wait strategy in HydraIdentityProvider to expect the TLS startup log message rather than the HTTP-only log entry.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider centralizing the Hydra base URL in a shared variable or template to avoid repeating the protocol change across all config files.
- Verify that the Hydra container is actually serving TLS—add the appropriate --tls-cert and --tls-key flags to the `serve all` command instead of relying on defaults.
- Update the wait strategy in HydraIdentityProvider to expect the TLS startup log message rather than the HTTP-only log entry.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[wendigo]

How does it work? Where is hydra getting a certificate from that Trino nodes trust?

[Praveen2112]

I think they get the certificate from oauth2-jwk configuration specifically for non-proxy we could use oauth2-jwk.http-client.trust-store-path=/docker/trino-product-tests/conf/trino/etc/hydra.pem

[Praveen2112]

Additionally in hydra-identity-provider we generate certs and add them to each of their specific truststore

[wendigo]

@Praveen2112 merge?