Add internal mTLS bridge service for monitoring stack
This commit is contained in:
beatz174-bit
@@ -0,0 +1,38 @@
|
||||
# mTLS Bridge Service
|
||||
|
||||
Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).
|
||||
|
||||
## How it works
|
||||
|
||||
1. Accepts plain HTTP requests inside the Docker network.
|
||||
2. Forwards requests to an HTTPS upstream.
|
||||
3. Presents a client certificate/key pair for mTLS authentication.
|
||||
|
||||
## Environment variables
|
||||
|
||||
- `TARGET_URL` (required): HTTPS upstream base URL.
|
||||
- `CLIENT_CERT` (default `/certs/client.crt`): client certificate path.
|
||||
- `CLIENT_KEY` (default `/certs/client.key`): client private key path.
|
||||
- `CA_CERT` (default `/certs/ca.crt`): CA certificate bundle used to verify upstream TLS.
|
||||
- `TIMEOUT` (default `5`): request timeout in seconds.
|
||||
- `LOG_LEVEL` (default `INFO`): Python logging level.
|
||||
|
||||
## Endpoints
|
||||
|
||||
- `GET /health` returns `200 OK` for container health checks.
|
||||
- `/*` proxies requests to `${TARGET_URL}` with method/body/headers preserved.
|
||||
|
||||
## Compose integration
|
||||
|
||||
This repository includes `monitoring/mtls-bridge/docker-compose.yml`:
|
||||
|
||||
- No public port exposure.
|
||||
- Read-only cert mount (`${PROJECT_ROOT}/core/traefik/certs:/certs:ro`).
|
||||
- Joined to internal monitoring/traefik networks.
|
||||
|
||||
## Example test
|
||||
|
||||
```bash
|
||||
curl http://mtls-bridge:8080/health
|
||||
curl -X POST http://mtls-bridge:8080
|
||||
```
|
||||
Reference in New Issue
Block a user