We already have an ES cluster running WITHOUT authentication and TLS. We are trying to enable the security feature.
Is it possible to achieve this with zero down time? Two aspects of the problem:
Cluster internal communication. Once xpack.security.transport.ssl.enabled on some nodes are enabled.
Is it still possible for nodes(disabled) to communicate with nodes(enabled)?
If it is not possible, will the cluster be in a consistent state after we rolling upgrade all of the nodes?
Is there way for ES to have one port for http and another port for https? So we can rolling upgrade application to switch to https(from http)?
According to the documentation you must do a full restart:
Enabling TLS requires a full cluster restart. Nodes that have TLS enabled cannot communicate with nodes that do not have TLS enabled. You must restart all nodes to maintain communication across the cluster.
As the TLS lower version is from version 6.8 I guess that you may upgrade to at least this version...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.