Implement ECK monitoring support for presenting client certificates to elasticsearch#9334
Merged
pkoutsovasilis merged 2 commits intoelastic:mainfrom Apr 17, 2026
Merged
Conversation
pkoutsovasilis
added
>feature
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
Author
|
buildkite test this -f p=gke,t=TestESStackClientAuthTransition.*,E2E_TAGS=es -m s=9.3.3,s=8.19.14,s=9.2.8 |
… both source and target elasticsearch
pkoutsovasilis
force-pushed
the
feat/mtls_es_monitoring
branch
from
48ba8b5 to
e8d27fc
Compare
Contributor
Author
|
buildkite test this -f p=gke,t=TestESStackClientAuthTransition.*,E2E_TAGS=es -m s=9.3.3,s=8.19.14,s=9.2.8,s=9.4.0-SNAPSHOT |
moukoublen
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds client certificate support to the stack monitoring (Metricbeat/Filebeat sidecar) infrastructure so that monitoring sidecars can authenticate via mTLS when connecting to Elasticsearch clusters that have client authentication enabled. This covers two distinct scenarios: the Metricbeat sidecar connecting to the source (monitored) Elasticsearch over its HTTP endpoint, and the monitoring output connecting to the target (monitoring) Elasticsearch cluster.
Relates #9081
Changes
buildOutputConfigto return a third value — a client certificate volume — when the monitoring target ES association hasclientCertSecretNameconfigured. Addsssl.certificateandssl.keyto the Beat output configuration pointing to the mounted client certificate filesNewMetricBeatSidecarto accept an optionalclientCertVolumeparameter, which is mounted into the sidecar container alongside the existing CA volumeclientAuthenticationRequired), the operator mounts the internal operator client certificate into the Metricbeat sidecar so it can authenticate to the local ES HTTP endpoint via mTLS. TheclientAuthenticationRequiredflag is threaded through
WithMonitoring,ReconcileConfigSecrets, andMetricbeatTestESStackClientAuthTransitionMonitored(verifies monitoring continues working when the monitored ES transitions from client auth enabled to disabled) andTestESStackClientAuthTransitionMonitoring(verifies monitoring continues working when the monitoring target ES transitions from client auth enabled todisabled)