K8S - using Prometheus to monitor another prometheus instance in secure way

1. You should consider using Additional Scrape Configuration

AdditionalScrapeConfigs allows specifying a key of a Secret containing additional Prometheus scrape configurations. Scrape configurations specified are appended to the configurations generated by the Prometheus Operator.

2. I am affraid this is not officially supported. However, you can update your prometheus.yml section within the Helm chart. If you want to learn more about it, check out this blog

3. I see two options here:

Connections to Prometheus and its exporters are not encrypted and authenticated by default. This is one way of fixing that with TLS certificates and stunnel.

Or specify Secrets which you can add to your scrape configuration.

Please let me know if that helped.