Sorry for the late reply.
To configure additional CA certificates you can just use the xpack.security.transport.ssl.certificate_authorities key as described in the Elasticsearch documentation, there is nothing ECK specific here to keep in mind other than mounting the CA certificates into the pod.
An example Elasticsearch manifest for ECK could then look like this:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: cluster-one
spec:
version: 7.4.0
nodeSets:
- name: default
count: 1
config:
xpack.security.transport.ssl.certificate_authorities:
- /usr/share/elasticsearch/config/remote/ca.crt
podTemplate:
spec:
containers:
- name: elasticsearch
volumeMounts:
- name: remote-certs
mountPath: /usr/share/elasticsearch/config/remote
volumes:
- name: remote-certs
secret:
secretName: cluster-two-es-transport-certs-public
This assumes that a secret called cluster-two-es-transport-certs-public exists containing the CA certs of the other cluster you want to connect to. You will also have to configure the CA of this cluster on the other side to establish mutual trust.