Rolling update

When asking questions, please provide the following information:

I need to upgrade my current cluster from 6.2.2 to 6.5.1.

We are maintaining a docker image where we are generating the ssl certificates every version. I am trying to do a rolling update to avoid downtime in production , but given that the 2 versions will have different ssl certificates the wont join ( correct me if i am wrong ). Is there a setting i can disable ssl inter-cluster at all for the time of the update ?

No, TLS on transport is one of the cornerstones of the security architecture, so you cannot disable it. You are right, if you have 2 different certificates the nodes won’t join and you will end up with a split cluster. The way to switch certificates would be to add both root CAs to the root ca PEM file. If this is not possible due to the way your Docker images are structured, I think there is no way to avoid a downtime.

···

On Wednesday, December 5, 2018 at 5:57:34 AM UTC+1, Roman Kournjaev wrote:

When asking questions, please provide the following information:

I need to upgrade my current cluster from 6.2.2 to 6.5.1.

We are maintaining a docker image where we are generating the ssl certificates every version. I am trying to do a rolling update to avoid downtime in production , but given that the 2 versions will have different ssl certificates the wont join ( correct me if i am wrong ). Is there a setting i can disable ssl inter-cluster at all for the time of the update ?

i suggest (if it's really necessary/useful to recreate the certificates with every version) to keep the CA at least.

···

Am 05.12.2018 um 11:56 schrieb Jochen Kressin <jkressin@floragunn.com>:

No, TLS on transport is one of the cornerstones of the security architecture, so you cannot disable it. You are right, if you have 2 different certificates the nodes won't join and you will end up with a split cluster. The way to switch certificates would be to add both root CAs to the root ca PEM file. If this is not possible due to the way your Docker images are structured, I think there is no way to avoid a downtime.

On Wednesday, December 5, 2018 at 5:57:34 AM UTC+1, Roman Kournjaev wrote:
When asking questions, please provide the following information:

I need to upgrade my current cluster from 6.2.2 to 6.5.1.
We are maintaining a docker image where we are generating the ssl certificates every version. I am trying to do a rolling update to avoid downtime in production , but given that the 2 versions will have different ssl certificates the wont join ( correct me if i am wrong ). Is there a setting i can disable ssl inter-cluster at all for the time of the update ?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0fbc9ab3-c778-4253-a282-d576e34f7155%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.