Exposing an unauthenticated prometheus endpoint when tls is enabled


We’re setting up a new consul cluster in AWS on EC2, our cluster has TLS configured with client certificates required (verify_incoming / verify_outgoing both true in config). Is there any way to expose an unauthenticated prometheus endpoint over HTTP whilst our cluster is configured like this?

We’re trying to avoid the need to generate a client certificate for our prometheus servers that will be scraping the metrics from our consul instances.

Any help would be really appreciated.


Hi Andrew,

Take a look at the expose parameter which was added to the proxy service registration config in Consul 1.6.2 (PR#6446). It allows exposing HTTP endpoints through an Envoy sidecar proxy.

This should offer the functionality you’re looking for.