How to bootstrap security for an existing cluster

Cluster of 4 nodes currently running 6.8.12 soon to be upgraded to latest 7.x

This cluster started life several years ago before xpack was available for free so it was set up using host based firewalls for security. Recently as part of my research for the move to 7.x I found out that xpack was now included in my current release. Yay!!!

There is plenty of documentation on how to bring up a new cluster with "security" but I can't find anything covering bootstrapping an existing cluster without shutting the cluster down and bringing the nodes back one at a time with "security" enabled.

As usual I expect I am missing something.

I am at the point where I have all the certificates (letsencrypt) installed but I would rather not shutdown the cluster completely if I don't have to.

Hi Russell,

I believe this is one of the situations where a cluster full restart is required:

• https://www.elastic.co/guide/en/elasticsearch/reference/master/restart-cluster.html

When you encrypt communications between nodes, nodes that are configured to use TLS cannot communicate with nodes that are using unencrypted networking (and vice-versa).

• https://www.elastic.co/guide/en/elasticsearch/reference/master/configuring-tls.html#tls-transport

I hope this helps.

Thanks Imma! I thought that probably was the case but I wanted to make sure. The sort of thing that would be needed would be to bring up the SSL enabled transport up on a different port so both could operate in parallel. But that would require for that to be designed in from the start.

I will get all the configuration into the yaml files with comments so it should be really quick restarting the cluster.