Enable Security with zero downtime

Elastic Stack Elasticsearch
1

We already have an ES cluster running WITHOUT authentication and TLS. We are trying to enable the security feature.
Is it possible to achieve this with zero down time? Two aspects of the problem:

  1. Cluster internal communication. Once xpack.security.transport.ssl.enabled on some nodes are enabled.
    Is it still possible for nodes(disabled) to communicate with nodes(enabled)?
    If it is not possible, will the cluster be in a consistent state after we rolling upgrade all of the nodes?

  2. Is there way for ES to have one port for http and another port for https? So we can rolling upgrade application to switch to https(from http)?

Thanks a lot!

2

Hi @P_Gong,

According to the documentation you must do a full restart:

Enabling TLS requires a full cluster restart. Nodes that have TLS enabled cannot communicate with nodes that do not have TLS enabled. You must restart all nodes to maintain communication across the cluster.

As the TLS lower version is from version 6.8 I guess that you may upgrade to at least this version...

3

What @gabriel_tessier says is right, but just to add that this is something we're working on.

4

Thanks a lot @gabriel_tessier, @DavidTurner