as mentioned here - #247

This operator depends on use of the searchguard-ssl plugin for TLS encryption. However searchguard-ssl is no longer distributed as a standalone plugin past ES version 6.2.4 - https://docs.search-guard.com/latest/search-guard-versions

it has been rolled into the main searchguard plugin.

In order to support ES versions 6.3+ the full blown searchguard plugin needs to be used.

This requires additional steps such as initializing sgadmin prior to any endpoint on port 9200 being available (including _cluster/health and so on) .

This creates an issue as sgadmin itself will not initialize until the masters can reach quorum. And the masters will never reach quorum as discovery.zen.ping.unicast.hosts: ${DISCOVERY_SERVICE} is pointing to a kubernetes service in which all endpoints are failing due to sgadmin not being initialized.

Ive written a quick patch that changes the healthcheck to a TCP port 9300 check to resolve this.

Im open to feedback for better solutions.

Ive made a custom elasticsearch docker image that handles the sgadmin initialization here - https://github.com/while1eq1/elasticsearch-kubernetes-searchguard