From 599ddd8e1f8a5e370d93d9675c7a47e48e29afcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= <sitbackandwait@gmail.com>
Date: Mon, 18 May 2020 09:20:02 +0200
Subject: [PATCH 1/2] add tls options to kerberos transport as well

---
 libbeat/esleg/eslegclient/connection.go | 28 ++++++++++++-------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/libbeat/esleg/eslegclient/connection.go b/libbeat/esleg/eslegclient/connection.go
index 138c9ab3c83..46d4840cda8 100644
--- a/libbeat/esleg/eslegclient/connection.go
+++ b/libbeat/esleg/eslegclient/connection.go
@@ -129,28 +129,26 @@ func NewConnection(s ConnectionSettings) (*Connection, error) {
 		}
 	}
 
-	var httpClient esHTTPClient
 	// when dropping the legacy client in favour of the official Go client, it should be instrumented
 	// eg, like in https://github.com/elastic/apm-server/blob/7.7/elasticsearch/client.go
+	transp := apmelasticsearch.WrapRoundTripper(&http.Transport{
+		Dial:            dialer.Dial,
+		DialTLS:         tlsDialer.Dial,
+		TLSClientConfig: s.TLS.ToConfig(),
+		Proxy:           proxy,
+		IdleConnTimeout: s.IdleConnTimeout,
+	})
+
+	var httpClient esHTTPClient
 	httpClient = &http.Client{
-		Transport: apmelasticsearch.WrapRoundTripper(&http.Transport{
-			Dial:            dialer.Dial,
-			DialTLS:         tlsDialer.Dial,
-			TLSClientConfig: s.TLS.ToConfig(),
-			Proxy:           proxy,
-			IdleConnTimeout: s.IdleConnTimeout,
-		}),
-		Timeout: s.Timeout,
+		Transport: transp,
+		Timeout:   s.Timeout,
 	}
 
 	if s.Kerberos.IsEnabled() {
 		c := &http.Client{
-			Transport: &http.Transport{
-				Dial:            dialer.Dial,
-				Proxy:           proxy,
-				IdleConnTimeout: s.IdleConnTimeout,
-			},
-			Timeout: s.Timeout,
+			Transport: transp,
+			Timeout:   s.Timeout,
 		}
 		httpClient, err = kerberos.NewClient(s.Kerberos, c, s.URL)
 		if err != nil {

From 418f34b7a9bd63169ae15b6e48fb5a93a2732361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= <sitbackandwait@gmail.com>
Date: Mon, 18 May 2020 09:29:37 +0200
Subject: [PATCH 2/2] add changelog entry

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 7471b1b99f8..c4337c45f34 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -244,6 +244,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Add config example of how to skip the `add_host_metadata` processor when forwarding logs. {issue}13920[13920] {pull}18153[18153]
 - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958]
 - Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808]
+- Add TLS support to Kerberos authentication in Elasticsearch. {pull}18607[18607]
 
 *Auditbeat*