Istio Prometheus with mtls mode strict

breuerjo · July 8, 2021, 7:09am

Hello,
there is also a documentation from Istio how to mount the sidecar certificates in the Prometheus pod: Istio / Prometheus.
In my case, configuring the tlsConfig in the ServiceMonitor workes:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: app-prometheus
  namespace: monitoring
  labels:
    release: prometheus-stack
spec:
  selector:
    matchLabels:
      app: app
  namespaceSelector:
    matchNames:
      - default
  endpoints:
    - port: 'http'
      path: '/metrics'
      interval: 10s
      basicAuth:
        password:
          name: app-metrics-credentials
          key: password
        username:
          name: app-metrics-credentials
          key: username
      scheme: https
      tlsConfig:
        caFile: /etc/prom-certs/root-cert.pem
        certFile: /etc/prom-certs/cert-chain.pem
        keyFile: /etc/prom-certs/key.pem
        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate

Topic		Replies	Views
Prometheus not scraping Istio mTLS Policies and Telemetry	1	1570	January 20, 2023
Can't scrape metrics using 1.7.3 Policies and Telemetry	3	773	February 26, 2021
Lens Metrics are Blocked in mTLS Strict Mode Security	0	490	March 9, 2023
BYO Prometheus with mTLS Policies and Telemetry	18	6320	December 21, 2020
Recommended Strategy for Gathering Metrics with Strict mTLS on	4	1109	April 7, 2020

Istio Prometheus with mtls mode strict

Related topics