Support mTLS Authentication in Webhooks

[Praveenrajmani]

Description

Support mutual TLS auth for webhook

Motivation and Context

Webhook servers can use mTLS for connections.

How to test this PR?

• Generate certificates using the following command with CN set to "localhost". And copy them to /tmp/ (Or) any location.

openssl req -newkey rsa:2048 \
  -new -nodes -x509 \
  -days 3650 \
  -out cert.pem \
  -keyout key.pem \
  -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=localhost"

• Use the following script to run webhook server

package main

import (
	"encoding/json"
	"fmt"
	"github.com/minio/minio/pkg/event"
	"io/ioutil"
	"log"
	"net/http"
	"crypto/tls"
	"crypto/x509"
	//"io"
)

func main() {

	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		b, err := ioutil.ReadAll(r.Body)
		defer r.Body.Close()
		if err != nil {
			fmt.Println(err)
			log.Fatal(err)
			return
		}
		if len(b) > 0 {
			var msg event.Log
			err = json.Unmarshal(b, &msg)
			if err != nil {
				log.Fatal(err)
				return
			}
			fmt.Println("**********New-Message****************")
			fmt.Println(string(b))
			w.WriteHeader(200)
		} else {
			fmt.Println("****PINGREQ*****")
		}
		w.Write([]byte("ping"))
	})

	// Create a CA certificate pool and add cert.pem to it
	caCert, err := ioutil.ReadFile("/tmp/cert.pem")
	if err != nil {
		log.Fatal(err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	// Create the TLS Config with the CA pool and enable Client certificate validation
	tlsConfig := &tls.Config{
		ClientCAs: caCertPool,
		ClientAuth: tls.RequireAndVerifyClientCert,
		//InsecureSkipVerify: true,
	}
	tlsConfig.BuildNameToCertificate()

	// Create a Server instance to listen on port 8443 with the TLS config
	server := &http.Server{
		Addr:      ":8443",
		TLSConfig: tlsConfig,
	}

	log.Printf("listening on https://%s/", "localhost:8443")
	// Listen to HTTPS connections with the server certificate and wait
	log.Fatal(server.ListenAndServeTLS("/tmp/cert.pem", "/tmp/key.pem"))
}

• Copy the cert.pem to ~/.minio/certs/CAs/public.crt
• We can use the same key pairs for both the client and server as they are in same host.
• Start the MinIO server
• Set the client_cert and client_key in the webhook config.
  mc admin config set myminio/ notify_webhook:1 endpoint="https://localhost:8443/" client_cert="/tmp/cert.pem" client_key="/tmp/key.pem"
• Start watching for events.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Fixes a regression (If yes, please add commit-id or PR # here)
• Documentation needed
• Unit tests needed
• Functional tests needed (If yes, add mint PR # here: )

[minio-trusted]

Mint Automation

Test	Result
mint-xl.sh	✔️
mint-large-bucket.sh	✔️
mint-fs.sh	✔️
mint-dist-xl.sh	✔️
mint-gateway-s3.sh	✔️
mint-gateway-azure.sh	✔️
mint-gateway-nas.sh	✔️
Deleting image on docker hub
Deleting image locally

[harshavardhana]

PTAL @aead