webhook api key support

[trondhindenes]

it would be really awesome if metacontroller supported some kind of authentication/authorization when posting to webhooks, for example a parameter HTTP_AUTH_HEADER in metacontroller that would just be forwarded as-is to webhooks. This would allow us to "close the loop" in terms of proving metacontroller's identity.

[enisoc]

I think it would be reasonable to add the ability to define static headers in the Webhook config spec. It may not be secure enough though since anyone who could read your CompositeController object could impersonate Metacontroller. That will get a bit better if we do #154 since then this info can be stored in a Secret.

The other option I had considered was a command-line parameter to specify a TLS client cert that Metacontroller will use for all outbound calls. If you control the HTTP handler on your webhook side, you could then require a specific client cert name identifying Metacontroller and authenticate it with the same CA used to sign it.

Would one of those work?

[trondhindenes]

I agree about the webhook spec - probably not the best place to put api keys. TLS-based auth would work, but might be complex to set up for some, which is why I thought simple env vars passed directly to the Metacontroller would be a viable option (this would in effect work as a "global" webhook api key for all webhooks the metacontroller interacts with, but we'd be fine with that).