Is a rolling update to enable security possible?

I'm nearly positive the answer is "no", but I wanted to ask!

I have several clusters currently at v7.17 that do not have authentication/tls/etc enabled. I would like to enable it, for obvious reasons, but they cannot be fully shut down. I had been somewhat hoping v8 would enable a rolling update to add security (though I can see how it would be very difficult), but from reading the docs that doesn't seem to be the case.

I can create new clusters and migrate, but if we could do it in place without a total shutdown that would be lovely.


You can't sorry to say. TLS needs to be enabled on all nodes at the same time (or, from startup onwards for all nodes).

What Mark said is correct. We have a public issue for this feature. But the work has been put on hold because the benefit to cost ratio is rather low and we have many other priorities.

1 Like

Thank you both! I definitely understand how non-trivial this functionality would be to implement and the cost:benefit choice being made. I'll watch the issue until the update becomes a must.


I do understand I cannot use Elasticsearch-setup-passwords in a unsecure production Elasticsearch 7.17 Cluster right now (public issue not a priority one).

However, did anybody succeed in using Elasticsearch-setup-passwords interactive with the same set of passwords on every node (while ignoring the warning) then activate TLS transport ?

I know some people turned each node into a single dev-mode cluster with data apart (so Elasticsearch-setup-passwords works fine) before reverting to a production-mode Cluster but I wonder if a simpler way is safe.

Welcome to our community! :smiley:

Please start a new topic for your question.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.