mTLS between Grafana and Prometheus Istio 1.0.5

I’m looking to get some clarity regarding communication between Grafana and Prometheus. By default it appears Grafana is configured to pull from Prometheus over HTTP even when control plane mtls is enabled. Is this an accurate statement?

We have a requirement that the connection between Grafana and Prometheus is encrypted. Is it possible to enable this?

I’m also curious why these Pods are not deployed with a sidecar.


@Oliver @Quanjie_Lin for securing control plane with mTLS.

Grafana and Prometheus are deployed in the istio-system namespace by default. The istio-namespace has sidecar-autoinjection disabled for obvious reasons (the autoinjector would never be ready as it would be waiting for the istio-proxy, which can’t be injected because the autoinjector is not ready yet…).

You could solve this issue by deploying grafana and prometheus in a custom namespace which does have sidecar-injection enabled.

Thanks spekr. It makes sense that sidecar injection is disabled but I noticed that some of the pods in the istio-system namespace do have a sidecar, eg: Pilot.In this case the sidecar is part of the deployment.yaml and not injected.

In general I expected that enabling control plane MTLS would encrypt all traffic between Istio components including the tools, Kiali, Grafana, Prometheus, etc.

Are there other exceptions where traffic is not encrypted? For example, mixer seems to expose http endpoints for scraping metrics.

Thanks again