Metricbeat

Hello, I have a problem, and I don't know where to find it.

I have an ingress with its certificate, and I have the ingress configured for elasticsearch.

Now, I want to attack that endpoint using metricbeats, which I have in another cluster and it gives me the following error:

(*MetricSet).Fetch","file.name":"node/node.go","file.line":91},"message":"error making http request: Get \"https://vsphere-general-worker-2:10250/stats/summary\": lookup vsphere-general-worker-2 on 10.43.0.10:53: server misbehaving","service.name":"metricbeat","ecs.version":"1.6.0"}
 
{"log.level":"error","@timestamp":"2024-03-04T11:27:14.883Z","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb/module.(*metricSetWrapper).fetch","file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node_stats: error making http request: Get \"https://xxxxx/_nodes/_local/stats\": x509: certificate signed by unknown authority","service.name":"metricbeat","ecs.version":"1.6.0"}

Can you help me? or give any indication of what it could be?

Does the certificate have to be that of the entry? from elasticsearch? of metricbeat?

---
daemonset:
  # Annotations to apply to the daemonset
  annotations: {}
  # additionals labels
  labels: {}
  affinity: {}
  # Include the daemonset
  enabled: true
  # Extra environment variables for Metricbeat container.
  envFrom: []
  # - configMapRef:
  #     name: config-secret
  extraEnvs:
    - name: "ELASTICSEARCH_USERNAME"
      valueFrom:
        secretKeyRef:
          name: elasticsearch-master-credentials
          key: username
    - name: "ELASTICSEARCH_PASSWORD"
      valueFrom:
        secretKeyRef:
          name: elasticsearch-master-credentials
          key: password
  #  - name: MY_ENVIRONMENT_VAR
  #    value: the_value_goes_here
  extraVolumes: []
  # - name: extras
  #   emptyDir: {}
  extraVolumeMounts: []
  # - name: extras
  #   mountPath: /usr/share/extras
  #   readOnly: true
  hostAliases: []
  #- ip: "127.0.0.1"
  #  hostnames:
  #  - "foo.local"
  #  - "bar.local"
  hostNetworking: false
  # Allows you to add any config files in /usr/share/metricbeat
  # such as metricbeat.yml for daemonset
  metricbeatConfig:
    metricbeat.yml: |
      metricbeat.modules:
      - module: elasticsearch
        xpack.enabled: true
        period: 10s
        #hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]'
        hosts: 'https://xxx.com'
        ssl.enabled: false
        ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca.crt"]
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
      - module: kubernetes
        metricsets:
          - container
          - node
          - pod
          - system
          - volume
        period: 10s
        host: "${NODE_NAME}"
        hosts: ["https://${NODE_NAME}:10250"]
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        #ssl.verification_mode: "none"
        # If using Red Hat OpenShift remove ssl.verification_mode entry and
        # uncomment these settings:
        ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca.crt"]
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
        #ssl.certificate_authorities:
         # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
        processors:
        - add_kubernetes_metadata: ~
      - module: kubernetes
        enabled: true
        metricsets:
          - event
      - module: system
        period: 10s
        metricsets:
          - cpu
          - load
          - memory
          - network
          - process
          - process_summary
        processes: ['.*']
        process.include_top_n:
          by_cpu: 5
          by_memory: 5
      - module: system
        period: 1m
        metricsets:
          - filesystem
          - fsstat
        processors:
        - drop_event.when.regexp:
            system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib)($|/)'
      output.elasticsearch:
        #hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]'
        hosts: 'hosts: 'https://xxx.com'
        ssl.enabled: true
        ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca.crt"]
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
  nodeSelector: {}
  # A list of secrets and their paths to mount inside the pod
  # This is useful for mounting certificates for security other sensitive values
  secretMounts:
    - name: elasticsearch-master-certs
      secretName: elasticsearch-master-certs
      path: /usr/share/metricbeat/certs/
    #- name: ingress-cert-tls 
    #  secretName: ingress-cert-tls
    #  path: /usr/share/metricbeat/certs/
  #  - name: metricbeat-certificates
  #    secretName: metricbeat-certificates
  #    path: /usr/share/metricbeat/certs
  # Various pod security context settings. Bear in mind that many of these have an impact on metricbeat functioning properly.
  # - Filesystem group for the metricbeat user. The official elastic docker images always have an id of 1000.
  # - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
  # - Whether to execute the metricbeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift.
  securityContext:
    runAsUser: 0
    privileged: false
  resources:
    requests:
      cpu: "100m"
      memory: "100Mi"
    limits:
      cpu: "1000m"
      memory: "200Mi"
  tolerations: 
  - key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60

deployment:
  # Annotations to apply to the deployment
  annotations: {}
  # additionals labels
  labels: {}
  affinity: {}
  # Include the deployment
  enabled: true
  # Extra environment variables for Metricbeat container.
  envFrom: []
  # - configMapRef:
  #     name: config-secret
  extraEnvs:
    - name: "ELASTICSEARCH_USERNAME"
      valueFrom:
        secretKeyRef:
          name: elasticsearch-master-credentials
          key: username
    - name: "ELASTICSEARCH_PASSWORD"
      valueFrom:
        secretKeyRef:
          name: elasticsearch-master-credentials
          key: password
  #  - name: MY_ENVIRONMENT_VAR
  #    value: the_value_goes_here
  # Allows you to add any config files in /usr/share/metricbeat
  extraVolumes: []
  # - name: extras
  #   emptyDir: {}
  extraVolumeMounts: []
  # - name: extras
  #   mountPath: /usr/share/extras
  #   readOnly: true
  # such as metricbeat.yml for deployment
  hostAliases: []
  #- ip: "127.0.0.1"
  #  hostnames:
  #  - "foo.local"
  #  - "bar.local"
  metricbeatConfig:
    metricbeat.yml: |
      metricbeat.modules:
      - module: elasticsearch
        xpack.enabled: true
        period: 10s
        #hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]'
        hosts: 'https://xxx.com'
        ssl.enabled: false
        ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca.crt"]
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
      - module: kubernetes
        enabled: true
        metricsets:
          - state_node
          - state_deployment
          - state_replicaset
          - state_pod
          - state_container
        period: 10s
        hosts: ["${KUBE_STATE_METRICS_HOSTS}"]
      output.elasticsearch:
        #hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]'
        hosts: 'https://xxx.com'
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
        ssl.enabled: true
        ssl.certificate_authorities: ["/usr/share/metricbeat/certs/ca.crt"]
  nodeSelector: {}
  # A list of secrets and their paths to mount inside the pod
  # This is useful for mounting certificates for security other sensitive values
  secretMounts:
    - name: elasticsearch-master-certs
      secretName: elasticsearch-master-certs
      path: /usr/share/metricbeat/certs/
    #- name: ingress-cert-tls
    #  secretName: ingress-cert-tls
    #  path: /usr/share/metricbeat/certs/

  #  - name: metricbeat-certificates
  #    secretName: metricbeat-certificates
  #    path: /usr/share/metricbeat/certs
  securityContext:
    runAsUser: 0
    privileged: false
  resources:
    requests:
      cpu: "100m"
      memory: "100Mi"
    limits:
      cpu: "1000m"
      memory: "200Mi"
  tolerations: 
  - key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60

# Replicas being used for the kube-state-metrics metricbeat deployment
replicas: 1

extraContainers: ""
# - name: dummy-init
#   image: busybox
#   command: ['echo', 'hey']

extraInitContainers: ""
# - name: dummy-init
#   image: busybox
#   command: ['echo', 'hey']

# Root directory where metricbeat will write data to in order to persist registry data across pod restarts (file position and other metadata).
hostPathRoot: /var/lib

any idea? how can i connect from external k8s if i have metricbeats for send this output to my elastic? Can i ignore ssl? what certificated used/need?