Add TLS dialer to Kerberos transport as well (#18607)

CHANGELOG.next.asciidoc

@@ -244,6 +244,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Add config example of how to skip the `add_host_metadata` processor when forwarding logs. {issue}13920[13920] {pull}18153[18153]
 - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958]
 - Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808]
+- Add TLS support to Kerberos authentication in Elasticsearch. {pull}18607[18607]
 
 *Auditbeat*
 

libbeat/esleg/eslegclient/connection.go

@@ -129,28 +129,26 @@ func NewConnection(s ConnectionSettings) (*Connection, error) {
 		}
 	}
 
-	var httpClient esHTTPClient
 	// when dropping the legacy client in favour of the official Go client, it should be instrumented
 	// eg, like in https://github.com/elastic/apm-server/blob/7.7/elasticsearch/client.go
+	transp := apmelasticsearch.WrapRoundTripper(&http.Transport{
+		Dial:            dialer.Dial,
+		DialTLS:         tlsDialer.Dial,
+		TLSClientConfig: s.TLS.ToConfig(),
+		Proxy:           proxy,
+		IdleConnTimeout: s.IdleConnTimeout,
+	})
+
+	var httpClient esHTTPClient
 	httpClient = &http.Client{
-		Transport: apmelasticsearch.WrapRoundTripper(&http.Transport{
-			Dial:            dialer.Dial,
-			DialTLS:         tlsDialer.Dial,
-			TLSClientConfig: s.TLS.ToConfig(),
-			Proxy:           proxy,
-			IdleConnTimeout: s.IdleConnTimeout,
-		}),
-		Timeout: s.Timeout,
+		Transport: transp,
+		Timeout:   s.Timeout,
 	}
 
 	if s.Kerberos.IsEnabled() {
 		c := &http.Client{
-			Transport: &http.Transport{
-				Dial:            dialer.Dial,
-				Proxy:           proxy,
-				IdleConnTimeout: s.IdleConnTimeout,
-			},
-			Timeout: s.Timeout,
+			Transport: transp,
+			Timeout:   s.Timeout,
 		}
 		httpClient, err = kerberos.NewClient(s.Kerberos, c, s.URL)
 		if err != nil {