[nexus] webhooks (#7277)

This branch adds an MVP implementation of the internal machinery for
delivering webhooks from Nexus. This includes:

- webhook-related external API endpoints (as described in [RFD 538])
- database tables for storing webhook receiver configurations and
  webhook events, and for tracking their delivery status
- background tasks for actually delivering webhook events to receivers

The user-facing interface for webhooks is described in greater detail in
[RFD 538]. The code change in this branch includes a ["Big Theory
Statement" comment] that describes most of the implementation details,
so reviewers are encouraged to refer to that for more information on the
implementation.

## Future Work

Immediate follow-up work (i.e. stuff I'd like to do shortly but would
prefer to land in separate PRs):

- [ ] Garbage collection for old records in the `webhook_delivery`,
  `webhook_delivery_attempt`, and `webhook_event` CRDB tables (need to
  figure out a good retention policy for events)
- [ ] `omdb db webhooks` commands for actually looking at the webhook
  database tables (#7808)
- [ ] Oximeter metrics tracking webhook delivery attempt outcomes and
  latencies

Not currently planned, but possible future work:

- [ ] Actually record webhook events when stuff happens :)
- [ ] Some mechanism for communicating JSON schemas for webhook event
  payloads (either via OpenAPI 3.1, by sticking JSON schemas in the
  `/v1/webhooks/event-classes` endpoints, or both)
- [ ] Allow webhook receivers to have roles with more restrictive
  permissions than `fleet.viewer` (see [RFD 538 Appendix
  B.3](https://rfd.shared.oxide.computer/rfd/538#rbac-filtering));
  probably requires service accounts
- [ ] Track receiver liveness and alert when a receiver has gone away
  (see [RFD 538 Appendix 
  B.4](https://rfd.shared.oxide.computer/rfd/538#liveness))

["Big Theory Statement" comment]:
  https://github.com/oxidecomputer/omicron/blob/143b34b1eeac68ce9ec7a50a0fbabafadec9f444/nexus/src/app/webhook.rs#L5-L131
[RFD 538]: https://rfd.shared.oxide.computer/rfd/538

Author: hawkw

Cargo.lock

@@ -453,6 +453,7 @@ hickory-resolver = "0.24.4"
 hickory-server = "0.24.4"
 highway = "1.3.0"
 hkdf = "0.12.4"
+hmac = "0.12.1"
 http = "1.2.0"
 http-body = "1.0.1"
 http-body-util = "0.1.3"
@@ -626,7 +627,7 @@ regex = "1.11.1"
 regress = "0.10.3"
 repo-depot-api = { path = "sled-agent/repo-depot-api" }
 repo-depot-client = { path = "clients/repo-depot-client" }
-reqwest = { version = "0.12", default-features = false }
+reqwest = { version = "0.12.15", default-features = false }
 ring = "0.17.11"
 rpassword = "7.3.1"
 rstest = "0.24.0"
@@ -966,3 +967,8 @@ path = "workspace-hack"
 [patch."https://github.com/oxidecomputer/omicron"]
 omicron-uuid-kinds = { path = "uuid-kinds" }
 omicron-common = { path = "common" }
+
+# Waiting for https://github.com/seanmonstar/reqwest/pull/2623 to be released...
+[patch.crates-io.reqwest]
+git = 'https://github.com/seanmonstar/reqwest'
+rev = '114d97c1a862567b465cb57f14d584626e1cf30c'

Cargo.toml

@@ -1040,6 +1040,9 @@ pub enum ResourceType {
     Probe,
     ProbeNetworkInterface,
     LldpLinkConfig,
+    WebhookEvent,
+    WebhookReceiver,
+    WebhookSecret,
 }
 
 // IDENTITY METADATA