@dagon yes I finally got this working. See Issue with using an internal ingress for example of what I got working. Note I also created a policy for non-grafana dashboards (istio creates a default grafana policy, thus why its not in that ticket)
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "kiali-disable-mtls"
namespace: "istio-system"
spec:
targets:
- name: kiali
ports:
- number: 20001