DOCS-898: Synchronous Bucket Notifications, config API secret redaction (#960)

Closes #898 

- Adds a short section on synchronous vs asynchronous bucket
notifications
- Adds a note on specific configs which now return redacted data on `mc
admin config get`
- Found a few new webhook lambda envvars to add

source/administration/monitoring/bucket-notifications.rst

@@ -79,6 +79,32 @@ MinIO supports publishing event notifications to the following targets:
 
        See :ref:`minio-bucket-notifications-publish-webhook` for a tutorial.
 
+Asynchronous vs Synchronous Bucket Notifications
+------------------------------------------------
+
+.. versionadded:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO supports either asynchronous (default) or synchronous bucket notifications for *all* remote targets.
+
+With asynchronous delivery, MinIO fires the event at the configured remote and does *not* wait for a response before continuing to the next event.
+Asynchronous bucket notification prioritizes sending events with the risk of some events being lost if the remote target has a transient issue during transit or processing.
+
+With synchronous delivery, MinIO fires the event at the configured remote and then waits for the remote to confirm a successful receipt before continuing to the next event.
+Synchronous bucket notification prioritizes delivery of events with the risk of a slower event-send rate and queue fill.
+
+To enable synchronous bucket notifications for *all configured remote targets*, use either of the following settings:
+
+- Set the :envvar:`MINIO_API_SYNC_EVENTS` environment variable to ``on`` and restart the MinIO deployment.
+
+- Set the :mc-conf:`api.sync_events` configuration setting to ``on`` and restart the MinIO deployment.
+
+.. note::
+
+   MinIO maintains a per-remote queue of events (``10000`` by default) where it stores unsent and pending events.
+
+   For asynchronous or synchronous bucket notifications, MinIO discards new events if the queue fills.
+   You can increase the queue size as necessary to better accommodate the rate of event send and processing of the MinIO deployment and remote target.
+
 
 .. _minio-bucket-notifications-event-types:
 

source/developers/transforms-with-object-lambda.rst

@@ -108,6 +108,17 @@ To enable MinIO to call the handler, register the handler function as a webhook
    Register an endpoint for a handler function.
    For multiple handlers, set this environment variable for each function endpoint.
 
+MinIO also supports the following environment variables for authenticated webhook endpoints:
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN_functionanme <MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN>`
+   Specify the opaque string or JWT authorization token for authenticating to the webhook.
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_CERT_functionname <MINIO_LAMBDA_WEBHOOK_CLIENT_CERT>`
+   Specify the client certificate to use for mTLS authentication to the webhook.
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_KEY_functionname <MINIO_LAMBDA_WEBHOOK_CLIENT_CERT>`
+   Specify the private key to use for mTLS authentication to the webhook.
+
 Restart MinIO to apply the changes.
 
 

source/includes/common-mc-admin-config.rst

@@ -161,6 +161,10 @@ server/broker.
 Specify the password for the MQTT username with which MinIO authenticates to the
 MQTT server/broker.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-mqtt-password
 
 
@@ -288,6 +292,10 @@ enforces authentication.
 The password for connecting to an Elasticsearch service endpoint which enforces
 authentication.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-elasticsearch-password
 
 .. start-minio-notify-elasticsearch-queue-limit
@@ -430,6 +438,10 @@ supports the following values:
 
 Specify the password for the Redis server.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-redis-password
 
 
@@ -495,12 +507,20 @@ Specify the username for connecting to the NATS service endpoint.
 
 Specify the passport for connecting to the NATS service endpoint.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-nats-password
 
 .. start-minio-notify-nats-token
 
 Specify the token for connecting to the NATS service endpoint.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-nats-token
 
 .. start-minio-notify-nats-tls
@@ -837,6 +857,10 @@ to the Kafka broker(s).
 Specify the password for performing SASL/PLAIN or SASL/SCRAM authentication
 to the Kafka broker(s).
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-kafka-sasl-password
 
 .. start-minio-notify-kafka-sasl-mechanism
@@ -977,6 +1001,10 @@ Specify the URL for the webhook service.
 Specify the opaque string or JWT authorization token to use for 
 authenticating to the webhook service.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-webhook-auth-token
 
 .. start-minio-notify-webhook-client-cert
@@ -1280,3 +1308,13 @@ Defaults to ``"text/*, application/json, application/xml, binary/octet-stream"``
 +-----------------+--------------------------+
 
 .. end-minio-data-compression-default-desc
+
+.. start-minio-api-sync-events
+
+Enables synchronous :ref:`bucket notifications <minio-bucket-notifications>`.
+
+Specify ``on`` to direct MinIO to wait until the remote target returns success on receipt of an event before processing further events.
+
+Defaults to ``off``, or asynchronous bucket notifications where MinIO does not wait for the remote target to return success on receipt of an event.
+
+.. end-minio-api-sync-events

source/includes/common-minio-external-auth.rst

@@ -18,6 +18,10 @@ Specify the client secret MinIO uses when authenticating user credentials
 against the :abbr:`OIDC (OpenID Connect)` compatible provider. This field
 may be optional depending on the provider.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-openid-client-secret
 
 .. start-minio-openid-jwks-url
@@ -192,6 +196,10 @@ privileges to support querying performing user and group lookups.
 Specify the password for the :ref:`Lookup-Bind 
 <minio-external-identity-management-ad-ldap-lookup-bind>` user account.
 
+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-ad-ldap-lookup-bind-password
 
 .. start-minio-ad-ldap-user-dn-search-base-dn

source/reference/minio-mc-admin/mc-admin-config.rst

@@ -88,7 +88,7 @@ Configuration Settings
 The following configuration settings define runtime behavior of the 
 MinIO :mc:`server <minio server>` process:
 
-Root User Account
+API Configuration
 ~~~~~~~~~~~~~~~~~
 
 .. mc-conf:: api
@@ -105,6 +105,13 @@ Root User Account
       To reset after an unintentional lock, set :envvar:`MINIO_API_ROOT_ACCESS` ``on`` to override this setting and temporarily re-enable the root account.
       You can then change this setting to ``on`` *or* make the necessary user/policy changes to ensure normal administrative access through other non-root accounts.
 
+   .. mc-conf:: sync_events
+
+      .. include:: /includes/common-mc-admin-config.rst
+         :start-after: start-minio-api-sync-events
+         :end-before: end-minio-api-sync-events
+
+      Corresponds with the :envvar:`MINIO_API_SYNC_EVENTS` environment variable.
 
 .. _minio-server-config-logging-logs:
 

source/reference/minio-server/minio-server.rst

@@ -1005,6 +1005,15 @@ These environment variables configure notification targets for use with
 - :ref:`minio-server-envvar-bucket-notification-kafka`
 - :ref:`minio-server-envvar-bucket-notification-webhook`
 
+.. envvar:: MINIO_API_SYNC_EVENTS
+   :optional:
+
+   .. include:: /includes/common-mc-admin-config.rst
+      :start-after: start-minio-api-sync-events
+      :end-before: end-minio-api-sync-events
+
+   Corresponds with the :mc-conf:`~api.sync_events` configuration setting.
+
 .. _minio-server-envvar-bucket-notification-amqp:
 
 AMQP Service for Bucket Notifications
@@ -2629,7 +2638,26 @@ For example, the following command sets two distinct Object Lambda webhook endpo
 
 .. envvar:: MINIO_LAMBDA_WEBHOOK_ENDPOINT
 
-   The HTTP endpoint of the webhook for the handler function.
+   The HTTP endpoint of the lambda webhook for the handler function.
+
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN
+
+   Specify the opaque string or JWT authorization token to use for authenticating to the lambda webhook service.
+
+   .. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+      MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_CERT
+
+   Specify the path to the client certificate to use for performing mTLS authentication to the lambda webhook service.
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_KEY
+
+   Specify the path to the private key to use for performing mTLS authentication to the lambda webhook service.
+
 
 .. _minio-server-envvar-external-identity-management-ad-ldap: