I think the issue you are hitting is related to SANs on the certificate. Currently, we don't populate the generated certificate with LoadBalancer IP as IP SAN. This means that when you use IP address to connect to ES, TLS connection can't be established due to that IP not being present on the cert.
To resolve it right now, you can change your ES spec to include the following:
- ip: IP_ADDRESS
where IP_ADDRESS is the external (LoadBalancer) IP that you are using to connect to ES.
Enhancement that would make this seamless (ie. would not require the
tls config section to be added by the user) is tracked at https://github.com/elastic/cloud-on-k8s/issues/910.