We have an elasticsearch cluster with version 8.5.1, in a baremetal kubernetes cluster, and we have the need to change the CA and certificates of the cluster nodes.
I've already created the new CA and certificate for the nodes and created a secret in kubernetes with them, which is how the old certificate is. And in theory, update the new certificate is simple, changing the secret of the old certificate to the secret of the new one in the volumemount of the elastic statefulset.
The problem is that this causes the rollingupdate node by node, and the first node that is restarted, having a different certificate than the rest of the cluster, never joins, so I have had to reverse.
Note that we have a cluster of 3 masters and 5 data nodes, with a statefulset for both types of nodes. With this configuration, I would appreciate it if somebody could help me with the procedure to be able to change the certificate satisfactorily.