# mTLS Bridge Service

Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).

## How it works

1. Accepts plain HTTP requests inside the Docker network.
2. Forwards requests to an HTTPS upstream.
3. Presents a client certificate/key pair for mTLS authentication.

## Environment variables

- `TARGET_URL` (required): HTTPS upstream base URL.
- `CLIENT_CERT` (default `/certs/client.crt`): client certificate path.
- `CLIENT_KEY` (default `/certs/client.key`): client private key path.
- `CA_CERT` (default `/certs/ca.crt`): CA certificate bundle used to verify upstream TLS.
- `TIMEOUT` (default `5`): request timeout in seconds.
- `LOG_LEVEL` (default `INFO`): Python logging level.
- `MTLS_BRIDGE_BASIC_AUTH_USERS` (required for Traefik auth): value for `traefik.http.middlewares.*.basicauth.users` (e.g. `user:$$apr1$$...`).

## Endpoints

- `GET /health` returns `200 OK` for container health checks.
- `/*` proxies requests to `${TARGET_URL}` with method/body/headers preserved.

## Compose integration

This repository includes `monitoring/mtls-bridge/docker-compose.yml`:

- No public port exposure.
- Read-only cert mount (`${PROJECT_ROOT}/core/traefik/certs:/certs:ro`).
- Joined to internal monitoring/traefik networks.

## Example test

```bash
curl http://mtls-bridge:8080/health
curl -X POST http://mtls-bridge:8080
```