You can provide your own CA and certificates instead of the self-signed certificate to connect to Elasticsearch via HTTPS using a Kubernetes secret.

You need to reference the name of a secret that contains a TLS private key and a certificate (or a chain), in the spec.http.tls.certificate section.

spec:
  http:
    tls:
      certificate:
        secretName: my-cert

This is an example on how create a Kubernetes TLS secret with a self-signed certificate:

$ openssl req -x509 -newkey rsa:4096 -keyout tls.key -out tls.crt -days 365 -nodes
$ kubectl create secret tls my-cert --cert tls.crt --key tls.key