TLS settings for query-frontend downstream

[twiden]

Hi,
I'm setting up Thanos in an environment where Istio enforces strict mTLS. This has been a bit of a hazzle with Thanos and Prometheus becuase requests that go through the Istio service mesh is tunneled over https with self signed certificates. The solution for the most part have been to mount the cert and key to the pod and tell the client application to pick up the cert and key from there.

However, for query-frontend downstream I can't find any flag for the process to pass these settings to the application. I have been able to find --query-frontend.downstream-tripper-config and --query-frontend.downstream-tripper-config-file but not if or how I can pass the TLS settings to tripper this way.

What I need to set is, in terms of Prometheus configuration, is the following

tlsConfig: 
    caFile: /etc/certs/root-cert.pem
    keyFile: /etc/certs/key.pem
    certFile: /etc/certs/cert-chain.pem
    insecureSkipVerify: true

If anyone could guide me if these options could be passed to the go http client using the above flags I would be vary thankful!

Cheers!
Tobias