Adding support for mTLS authentication to the argo-rollouts Notifications Engine’s HTTP transport layer

[pan092]

Summary

This issue is for adding support for mutual TLS (mTLS) authentication to the argo-rollouts Notifications Engine’s HTTP transport layer.
The feature enables webhook integrations to perform secure, bi-directional authentication between the client and server using certificates.

Motivation

Currently, the argo-rollouts Notifications Engine supports webhook authentication using standard mechanisms (e.g., Basic Auth, bearer tokens).
However, for enterprise or compliance-critical environments, mTLS is required.
This enhancement will expand support for secure webhook communication, particularly in regulated or internal environments.

Proposal

A new function will be added to create an http.Transport configured for mTLS authentication.
It will load client and CA certificates from the provided configuration, build a corresponding tls.Config, and return a transport that enables secure, bi-directional authentication between the Notifications Engine and webhook endpoints.
This ensures encrypted and mutually trusted communication for webhook notifications.

Sample configMap illustrating how to configure a webhook that requires mutual TLS authentication:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-notifications-cm
data:
  service.webhook.secure-api: |
    url: https://secure-api.company.com/webhooks/notifications
    headers:
    - name: Content-Type
      value: application/json
    - name: X-API-Version
      value: v1
    mtlsConfig:
      certPath: /etc/ssl/certs/webhook-client.crt
      keyPath: /etc/ssl/private/webhook-client.key
      caCertPath: /etc/ssl/certs/company-ca.crt
    insecureSkipVerify: false # Enforce proper certificate validation
  template.secure-notification: |
    webhook:
      secure-api:
        method: POST
        body: |
          {
            "event": "application-sync",
            "application": "{{.app.metadata.name}}",
            "namespace": "{{.app.metadata.namespace}}",
            "status": "{{.app.status.sync.status}}",
            "revision": "{{.app.status.sync.revision}}",
            "timestamp": "{{.time.Now}}",
            "argocd_url": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
          }

[huikang]

@pan092 , thanks for the proposal. I think this is a nice feature to have. Would you like to take on this?

[pan092]

@pan092 , thanks for the proposal. I think this is a nice feature to have. Would you like to take on this?
Thanks @huikang. We are actively working on it.

[huikang]

Perfect! @pan092 assigned this to you, and appreciate that.