In our cluster, where we have our internal prometheus we plan to scrape the pod endpoints by making the pod endpoints as part of a headless service. That way prometheus can have istio-proxy container injected and also reach pod ips directly. No need to mount the certs to reach mtls endpoints. I want to know if or why the istio team does/does not recommend to create a headless service when they want to reach pod/port endpoints so that mtls is auto applied ? Any views on this method ?
Describe our approach here.