diff --git a/apps/istio/istio-istiod.yaml b/apps/istio/istio-istiod.yaml
index 55cbaf4..f1028a0 100644
--- a/apps/istio/istio-istiod.yaml
+++ b/apps/istio/istio-istiod.yaml
@@ -12,28 +12,28 @@ spec:
     chart: istiod
     targetRevision: 1.26.0
     helm:
-      values: |
-        global:
-          istioCNI:
-            enabled: true
+          values: |
+            cni:
+              enabled: true
+              provider: default
+              
+            sidecarInjectorWebhook:
+              disableInitContainers: true 
 
-        sidecarInjectorWebhook:
-          disableInitContainers: true
+            pilot:
+              autoscaleEnabled: false
+              replicaCount: 2
+              resources:
+                requests:
+                  cpu: "500m"
+                  memory: "512Mi"
+                limits:
+                  cpu: "1000m"
+                  memory: "1Gi"
 
-        pilot:
-          autoscaleEnabled: false
-          replicaCount: 2
-          resources:
-            requests:
-              cpu: "500m"
-              memory: "512Mi"
-            limits:
-              cpu: "1000m"
-              memory: "1Gi"
-
-          podDisruptionBudget:
-            enabled: true
-            minAvailable: 1
+              podDisruptionBudget:
+                enabled: true
+                minAvailable: 1
   destination:
     server: https://kubernetes.default.svc
     namespace: istio-system
diff --git a/apps/kube-prometheus-stack-config.yaml b/apps/kube-prometheus-stack-config.yaml
new file mode 100644
index 0000000..1508bcc
--- /dev/null
+++ b/apps/kube-prometheus-stack-config.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring-config
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops
+    targetRevision: main
+    path: kube-prometheus-stack/
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
diff --git a/apps/kube-prometheus-stack.yaml b/apps/kube-prometheus-stack.yaml
new file mode 100644
index 0000000..8115f2a
--- /dev/null
+++ b/apps/kube-prometheus-stack.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prometheus
+  namespace: argocd
+  annotations:
+      argocd.argoproj.io/sync-wave: "0"
+spec:
+  destination:
+    namespace: monitoring
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    repoURL: https://prometheus-community.github.io/helm-charts
+    chart: kube-prometheus-stack
+    targetRevision: 85.0.2
+    helm:
+      releaseName: prometheus
+      values: |
+        namespaceOverride: "monitoring"
+        
+        grafana:
+          ingress:
+            enabled: false
+            
+        defaultRules:
+          create: true
+          
+        prometheusOperator:
+          hostNetwork: false
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true 
diff --git a/kube-prometheus-stack/certificate.yaml b/kube-prometheus-stack/certificate.yaml
new file mode 100644
index 0000000..dfec95e
--- /dev/null
+++ b/kube-prometheus-stack/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-cert
+  namespace: istio-system
+spec:
+  secretName: grafana-cert
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - grafana.local.gwg313.xyz
+    - grafana.zerotier.gwg313.xyz
diff --git a/kube-prometheus-stack/gateway.yaml b/kube-prometheus-stack/gateway.yaml
new file mode 100644
index 0000000..380f98b
--- /dev/null
+++ b/kube-prometheus-stack/gateway.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: grafana-gateway
+  namespace: monitoring
+spec:
+  selector:
+    istio: gateway
+  servers:
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        credentialName: grafana-cert
+      hosts:
+        - grafana.local.gwg313.xyz
+        - grafana.zerotier.gwg313.xyz
diff --git a/kube-prometheus-stack/namespace.yaml b/kube-prometheus-stack/namespace.yaml
new file mode 100644
index 0000000..cf222d7
--- /dev/null
+++ b/kube-prometheus-stack/namespace.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    # istio-injection: enabled
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+
+    app.kubernetes.io/name: monitoring
diff --git a/kube-prometheus-stack/virtualservice.yaml b/kube-prometheus-stack/virtualservice.yaml
new file mode 100644
index 0000000..993b093
--- /dev/null
+++ b/kube-prometheus-stack/virtualservice.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: grafana
+  namespace: monitoring
+spec:
+  hosts:
+    - grafana.local.gwg313.xyz
+    - grafana.zerotier.gwg313.xyz
+  gateways:
+    - grafana-gateway
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: prometheus-grafana
+            port:
+              number: 80