Configuring Elastic Agent to trust Fleet Server's certificate (eck-stack Helm Chart)

Elastic Stack Elastic Agent
1

I deployed eck-operator and I’m deploying eck-stack via the helm chart eck-stack-0.16.0

I’m getting an error in Elastic Agent logs :

{"log.level":"error","@timestamp":"2025-10-22T13:11:03.233Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/dispatcher.(*ActionDispatcher).Dispatch","file.name":"dispatcher/dispatcher.go","file.line":161},"message":"Failed to dispatch action id \"policy:eck-agent:19\" of type \"POLICY_CHANGE\", error: validating Fleet client config: validating fleet client config: fail to communicate with Fleet Server API client hosts: all hosts failed: requester 0/1 to host https://fleet.example.com:443/ errored: Get \"https://fleet.example.com:443/api/status?\": x509: certificate signed by unknown authority","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

Looks like Elastic Agent is not trusting the certificate given by the Fleet Server.

Here’s my values.yaml (I did not include Elasticsearch since this is not relevant here) :

eck-kibana:
  enabled: true
  fullnameOverride: kibana

  elasticsearchRef:
    name: elasticsearch

  monitoring:
    metrics:
      elasticsearchRefs:
      - name: elasticsearch
    logs:
      elasticsearchRefs:
      - name: elasticsearch

  config:
    xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch.example.com"]
    xpack.fleet.agents.fleet_server.hosts: ["https://fleet.example.com"]
    xpack.fleet.registryProxyUrl: "http://proxyurl:8080"
    monitoring.kibana.collection.enabled: true
    xpack.fleet.packages:
    - name: system
      version: latest
    - name: elastic_agent
      version: latest
    - name: fleet_server
      version: latest
    - name: kubernetes
      version: latest
    xpack.fleet.agentPolicies:
    - name: Fleet Server on ECK policy
      id: eck-fleet-server
      namespace: default
      is_managed: true
      monitoring_enabled:
      - logs
      - metrics
      package_policies:
      - name: fleet_server-1
        id: fleet_server-1
        package:
          name: fleet_server
    - name: Elastic Agent on ECK policy
      id: eck-agent
      namespace: default
      is_managed: true
      monitoring_enabled:
      - logs
      - metrics
      unenroll_timeout: 901
      package_policies:
      - package:
          name: system
        name: system-1
      - package:
          name: kubernetes
        name: kubernetes-1

eck-agent:
  enabled: true

  policyID: eck-agent

  kibanaRef:
    name: kibana
  elasticsearchRefs: []

  fleetServerRef:
    name: fleet-server

  monitoring:
    metrics:
      elasticsearchRefs:
      - name: elasticsearch
    logs:
      elasticsearchRefs:
      - name: elasticsearch

  mode: fleet
  daemonSet:
    podTemplate:
      spec:
        serviceAccountName: elastic-agent
        hostNetwork: true
        dnsPolicy: ClusterFirstWithHostNet
        automountServiceAccountToken: true
        securityContext:
          runAsUser: 0

eck-fleet-server:
  enabled: true

  fullnameOverride: "fleet-server"

  deployment:
    replicas: 1
    podTemplate:
      spec:
        serviceAccountName: fleet-server
        automountServiceAccountToken: true

  monitoring:
    metrics:
      elasticsearchRefs:
      - name: elasticsearch
    logs:
      elasticsearchRefs:
      - name: elasticsearch

  policyID: eck-fleet-server
  kibanaRef:
    name: kibana
  elasticsearchRefs:
  - name: elasticsearch

How can I pass the Fleet Server certificate so Elastic Agent will trust it ? I did not find an option in the Helm Chart.

Let me know if you need more information.