Hey Gary,
Can you share which class of ingress you are using? I guess you are using your default cloud provider ingress: which one is it?
Generally, there are 3 ways to setup an ingress in front of Elasticsearch:
-
Make the ingress forward TCP connections to Elasticsearch directly, so Elasticsearch can do the TLS termination. For example with the NGINX ingress, this can be done with SSL passthrough configuration.
-
Terminate TLS at the ingress layer (with its own certificates), and make the ingress use HTTPS to reach Elasticsearch, which terminates TLS with its own certificates. For an example of how this can be achieved with the NGINX ingress, see this post. On GKE, it looks like an annotation allows it to be configured.
-
Disable HTTPS at Elasticsearch level, so the ingress uses HTTP to contact Elasticsearch. This is not currently supported with ECK.
Depending on your ingress class, you'll probably be able to either do 1. or 2.
Please let us know