I am deploying ECK in an on-premise Kubernetes cluster with Istio installed.
We drew a security perimeter at our gateway. Meaning all the services are only reachable through the gateway, where TLS and authentication is done. Since we use Istio, our K8s services themselves don't need TLS (Envoy proxy brings mTLS to each Pod).
Elasticsearch requires TLS in order to enable auth via OIDC. I don't understand why, but ok.
I can not configure the Elasticsearch with valid certificates using cert-manager - the elasticsearch-es-http K8s service is not reachable from the internet.
If I configure TLS at Elasticsearch with a self-signed certificate, I would need to add its CA to all services communicating with ES. And this seems unreasonable.
Why? Why am I forced to enable TLS on ES for OIDC to function?
Where in OAuth2 flow is "resource server" (ES in this case) required to have TLS? IDP does not send requests directly to resource server anyway.
Auth server has TLS configured.
What am I missing here?