Configuring TLS for Connecting Spring Boot to Elasticsearch

How to use self-signed certificates in Spring Boot to connect to Elasticsearch when using Elastic Cloud on Kubernetes (ECK)

I wanted to put together an article that combines everything I found around the web on how to use self-signed certificates with Spring Boot when using Elastic Cloud on Kubernetes.

The Keystore

There are two options for creating the keystore we need to connect securely to Elasticsearch: using the keytool or Keystore API. But I found that creating the Keystore programmatically was the better approach when publishing a Kubernetes cluster in the cloud since this configuration allows us to use the same configurations for a local development environment and in a cloud Kubernetes cluster such as AWS EKS.

Creating keystore with keytool

To create the keystore:

  1. Download the cert from cluster secrets and save as tls.crt

    kubectl get secret "es1-es-http-certs-public" -o go-template='{{index .data "tls.crt" | base64decode }}' > tls.crt
  2. Use the keytool to create the keystore and import the certificate

    keytool -import -v -trustcacerts -file tls.crt -keystore keystore.jks -keypass changeit -storepass changeit

Java Keystore API

For more information on the API see Baeldung's awesome article on the java keystore

To create a keystore programmatically that will store the certificate retrieved from Kubernetes cluster secrets used to authenticate with ES cluster

public class SSLConfig {
    private final char[] keyStorePass = "changeit".toCharArray();
    private final String certPathName = new File("/etc/es-certificates/tls.crt").isFile() ? "/etc/es-certificates/tls.crt" : "tls.crt";
    private final File keyStoreFile;

    public SSLConfig() throws Exception {
        keyStoreFile = this.generateKeyStoreFile();

    Certificate generateCert() throws Exception {
        InputStream inStream = new FileInputStream(certPathName);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        return cf.generateCertificate(inStream);

    File generateKeyStoreFile() throws Exception {
        String keyStoreName = "keystore.jks";
        File f = new File(keyStoreName);
        if (f.isFile()) return f;

        Certificate cert = this.generateCert();
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.setCertificateEntry("es-http-public", cert); FileOutputStream(keyStoreName), keyStorePass);
        return new File(keyStoreName);

    public SSLContext getSSLContext() throws Exception {
        SSLContextBuilder builder = SSLContexts.custom();
            builder.loadTrustMaterial(keyStoreFile, keyStorePass, new TrustSelfSignedStrategy());

Spring Elasticsearch Configuration

The Java High-Level REST Client is based on the Low-Level Client, which has can be used for encrypted communication

public class ESConfig extends AbstractElasticsearchConfiguration {
    public String elasticsearchUrl;
    public String elasticsearchPort;
    public String elasticsearchUsername;
    public String elasticsearchPassword;

    private SSLConfig sslConfig;

    public ESConfig() throws Exception {
        sslConfig = new SSLConfig();

    public RestHighLevelClient elasticsearchClient() {
        SSLContext sslContext = null;
        try {
            sslContext = sslConfig.getSSLContext();
        } catch (Exception e) {

        final ClientConfiguration config = ClientConfiguration.builder()
                .connectedTo(elasticsearchUrl + ":" + elasticsearchPort)
                .withBasicAuth(elasticsearchUsername, elasticsearchPassword)
        return RestClients.create(config).rest();

Using TLS Secret as a file in the Spring Pod

To use the certificate stored as a secret by ECK, we can mount it in our deployment manifest and make it available in the API container.

apiVersion: apps/v1
kind: Deployment
  name: search-api
  namespace: default
  replicas: 1
      app: search-api
        app: search-api
        namespace: default
        - image: $IMAGE
          name: search-api
          imagePullPolicy: Always
            - containerPort: 8080
            - name: es-certificates
              mountPath: "/etc/es-certificates"
            - name: ES_CERT
                  name: es1-es-http-certs-public
                  key: tls.crt
            - name: ES_USER
              value: "elastic"
            - name: ES_PWD
                  name: es1-es-elastic-user
                  key: elastic
            - name: ES_URL
              value: "es1-es-http"
        - name: es-certificates
            secretName: es1-es-http-certs-public