TLS SANs not applied to Logstash custom service certificate in ECK

Elastic Orchestration Elastic Cloud on Kubernetes (ECK)
1

Context

I have filebeat installed on a VM and I’m trying to send logs to a logstash instance deployed on a K3S cluster.

Description of the issue

When configuring a custom Logstash service with selfSignedCertificate and subjectAltNames in ECK, the generated certificate does not include the specified SANs. This causes TLS handshake failures when clients (e.g., Filebeat) validate the certificate against the hostname used for connection.

I’m using the eck-stack Helm Chart. Here’s the snippet for eck-logstash :

eck-logstash:
  enabled: true
  fullnameOverride: logstash

  count: 1
  elasticsearchRefs:
    - clusterName: elasticsearch-es
      name: elasticsearch
  monitoring:
    metrics:
      elasticsearchRefs:
      - name: elasticsearch
    logs:
      elasticsearchRefs:
      - name: elasticsearch
  config:
    pipeline.workers: 4
    log.level: debug
  pipelines:
    - pipeline.id: main
      config.string: |
        [...]
  services:
    - name: filebeat-to-logstash
      service:
        spec:
          type: LoadBalancer
          ports:
          - port: 5044
            targetPort: 5044
            name: "filebeat-to-logstash"
            protocol: TCP
  http:
    service:
      spec:
        type: LoadBalancer
    tls:
      selfSignedCertificate:
        subjectAltNames:
        - dns: logstash-vm.example.com
  podTemplate:
    spec:
      ports:
        - containerPort: 5044
          name: filebeat-to-logstash

I did this according to the documentation and it works for Fleet Server but Logstash does not take it into account.

The particularity is that I had to create a custom LoadBalancer service in order to expose the port that will be used by my beats (5044) because only the api (9600) has a service created by Operator by default.

Is this supported by the Chart ? Am I doing it the wrong way ?
Initially, I wanted to open an issue on Github but I’m not sure how to categorize it, so I’m posting it here first.

Steps to reproduce :

Deploy Logstash with ECK using the provided configuration.

  1. Check the certificate exposed on port 5044 using:

    openssl s_client -connect logstash-vm.example.com:5044 -showcerts

  2. Observe that the certificate does not include the SAN logstash-vm.example.com

  3. Filebeat fails to connect with the error:

x509: certificate is valid for logstash-ls-http.collog.ls.local, logstash-ls-http, logstash-ls-api.collog.svc, logstash-ls-api.collog, not logstash-vm.example.com