My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.

1. Is it compulsory to have TLS enabled for the RAFT ordering node?
2. If yes, Can I enable on the fly while migrating to RAFT?
3. Is it possible to configure Orderers to use TLS only for Raft communication?

Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.

2019-12-09 15:38:02.269 UTC [orderer.common.server] initializeClusterClientConfig -> PANI 208 TLS is required for running ordering nodes of type kafka. panic: TLS is required for running ordering nodes of type kafka.

1. Yes, TLS is a must for Raft ordering nodes
2. Yes, you can enable TLS by inserting an environment TLS_ENABLED=true inside your orderers and also mapping the correct folders with tls certificates.
3. No, every component that wants to communicate with a Raft orderer must connect with TLS. Let's suppose you have a cli and you want to connect to the orderer. The cli must have TLS enabled, the correct TLS certificates to enstablish a connection and do an handshake, and the commands must be called with --tls true and --clientauth