server/tests-py: Enable TLS tests in parallel mode on CI.

Part of [NDAT-257](https://hasurahq.atlassian.net/browse/NDAT-257).

* Run the TLS tests on CI.
* Run non-TLS tests even when a TLS certificate is provided; just ignore it.

[NDAT-257]: https://hasurahq.atlassian.net/browse/NDAT-257?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/7806
GitOrigin-RevId: d705e2e5131a674070a98a893323a7b98a92f688

server/tests-py/conftest.py

@@ -611,13 +611,15 @@ def webhook_server(
     if tls_ca_configuration:
         if scheme is not None and scheme != 'https':
             pytest.skip(f'Cannot run the remote schema server with TLS; HGE is configured to talk to it over "{scheme}".')
-        if request.node.get_closest_marker('no_tls_webhook_server') is not None:
-            pytest.skip('Only running this test with TLS disabled; skipping the version with TLS enabled.')
 
         server = http.server.HTTPServer(server_address, webhook.Handler)
-        insecure = request.node.get_closest_marker('tls_insecure_certificate') is not None
-        tls_trust = fixtures.tls.TLSTrust.INSECURE if insecure else fixtures.tls.TLSTrust.SECURE
-        tls_ca_configuration.configure(server, tls_trust)
+        use_tls = request.node.get_closest_marker('no_tls_webhook_server') is None
+        if use_tls:
+            insecure = request.node.get_closest_marker('tls_insecure_certificate') is not None
+            tls_trust = fixtures.tls.TLSTrust.INSECURE if insecure else fixtures.tls.TLSTrust.SECURE
+            tls_ca_configuration.configure(server, tls_trust)
+        else:
+            tls_trust = None
     else:
         if scheme is not None and scheme != 'http':
             pytest.skip(f'Cannot run the remote schema server without TLS; HGE is configured to talk to it over "{scheme}".')

server/tests-py/fixtures/tls.py

@@ -27,15 +27,15 @@ class TLSCAConfiguration(NamedTuple):
         csr_file = self.tmp_path / 'webhook.csr'
         cert_file = self.tmp_path / 'webhook.pem'
         # generate a private key
-        subprocess.run(['openssl', 'genrsa', '-out', key_file, '2048']).check_returncode()
+        subprocess.run(['openssl', 'genrsa', '-out', key_file, '2048'], check=True, capture_output=True)
         # generate a certificate signing request for the private key
-        subprocess.run(['openssl', 'req', '-new', '-key', key_file, '-out', csr_file, '-subj', '/CN=hge-webhook', '-config', config_file]).check_returncode()
+        subprocess.run(['openssl', 'req', '-new', '-key', key_file, '-out', csr_file, '-subj', '/CN=hge-webhook', '-config', config_file], check=True, capture_output=True)
         if trust == TLSTrust.INSECURE:
             # self-sign the certificate with its own key, making it untrusted
-            subprocess.run(['openssl', 'x509', '-req', '-in', csr_file, '-signkey', key_file, '-out', cert_file, '-days', '10', '-extensions', 'v3_req', '-extfile', config_file]).check_returncode()
+            subprocess.run(['openssl', 'x509', '-req', '-in', csr_file, '-signkey', key_file, '-out', cert_file, '-days', '10', '-extensions', 'v3_req', '-extfile', config_file], check=True, capture_output=True)
         else:
             # sign the certificate with the provided CA key, which should be trusted
-            subprocess.run(['openssl', 'x509', '-req', '-in', csr_file, '-CA', self.cert_file, '-CAkey', self.key_file, '-CAcreateserial', '-out', cert_file, '-days', '10', '-extensions', 'v3_req', '-extfile', config_file]).check_returncode()
+            subprocess.run(['openssl', 'x509', '-req', '-in', csr_file, '-CA', self.cert_file, '-CAkey', self.key_file, '-CAcreateserial', '-out', cert_file, '-days', '10', '-extensions', 'v3_req', '-extfile', config_file], check=True, capture_output=True)
 
         ssl_context = ssl.create_default_context(
             purpose=ssl.Purpose.CLIENT_AUTH,