git
72cda2dc92
modified: docs/prometheus-inventory.md new file: docs/runtime/prometheus-inventory.json new file: docs/runtime/prometheus-query-exposure.json new file: docs/runtime/prometheus-query-hypervisor.json new file: docs/runtime/prometheus-query-job-instance.json new file: docs/runtime/prometheus-query-jobs.json new file: docs/runtime/prometheus-query-network.json new file: docs/runtime/prometheus-query-role.json new file: docs/runtime/prometheus-query-service.json new file: docs/runtime/prometheus-query-up.json new file: docs/runtime/prometheus-targets.json modified: monitoring/docker-socket-proxy/docker-compose.yml modified: monitoring/mtls-bridge/docker-compose.yml modified: monitoring/node-red/data/context/00b02bbd01c91485/flow.json modified: monitoring/node-red/data/update-events.ndjson
mTLS Bridge Service
Internal HTTP-to-mTLS bridge for services that cannot present client certificates directly (for example, Grafana webhooks).
How it works
- Accepts plain HTTP requests inside the Docker network.
- Forwards requests to an HTTPS upstream.
- Presents a client certificate/key pair for mTLS authentication.
Environment variables
TARGET_URL(required): HTTPS upstream base URL.CLIENT_CERT(default/certs/client.crt): client certificate path.CLIENT_KEY(default/certs/client.key): client private key path.CA_CERT(default/certs/ca.crt): CA certificate bundle used to verify upstream TLS.TIMEOUT(default5): request timeout in seconds.LOG_LEVEL(defaultINFO): Python logging level.
Endpoints
GET /healthreturns200 OKfor container health checks./*proxies requests to${TARGET_URL}with method/body/headers preserved.
Compose integration
This repository includes monitoring/mtls-bridge/docker-compose.yml:
- No public port exposure.
- Read-only cert mount (
${PROJECT_ROOT}/core/traefik/certs:/certs:ro). - Joined to internal monitoring/traefik networks.
Example test
curl http://mtls-bridge:8080/health
curl -X POST http://mtls-bridge:8080