After more trying i found a working solution.
I have mounted the custom CA directly into the /etc/ssl/certs folder and removed the env vars for CA.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: elastic-agent
namespace: kube-system
labels:
app: elastic-agent
spec:
selector:
matchLabels:
app: elastic-agent
template:
metadata:
labels:
app: elastic-agent
spec:
...
containers:
- name: elastic-agent
image: docker.elastic.co/beats/elastic-agent:8.3.3
env:
- name: FLEET_ENROLL
value: "1"
# Set to true in case of insecure or unverified HTTP
- name: FLEET_INSECURE
value: "true"
# The ip:port pair of fleet server
- name: FLEET_URL
value: "https://elastic-fleet.xxxx:8220"
# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
- name: FLEET_ENROLLMENT_TOKEN
value: "xxxxx"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
...
volumeMounts:
...
- name: elastic-ca
mountPath: /etc/ssl/certs/elastic-ca.crt
subPath: elastic-ca.crt
readOnly: true
volumes:
...
- name: elastic-ca
secret:
secretName: elastic-ca