From ad9453a107bef36fb9bb5c7ff99a04ca906cba08 Mon Sep 17 00:00:00 2001
From: Geoffrey Wossum <gwossum@influxdata.com>
Date: Mon, 22 Dec 2025 16:47:25 -0600
Subject: [PATCH] fix: move Raft auth docs from data node to meta node (#6669)

Move documentation on Raft authentication from data nodes page to meta
node page. Also add note with recommended staging for enabling Raft
authentication in an existing cluster.

Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>
---
 .../configure/config-data-nodes.md            | 23 ---------------
 .../configure/config-meta-nodes.md            | 28 +++++++++++++++++++
 2 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/content/enterprise_influxdb/v1/administration/configure/config-data-nodes.md b/content/enterprise_influxdb/v1/administration/configure/config-data-nodes.md
index 608be8f9b..4a6e54d9a 100644
--- a/content/enterprise_influxdb/v1/administration/configure/config-data-nodes.md
+++ b/content/enterprise_influxdb/v1/administration/configure/config-data-nodes.md
@@ -259,29 +259,6 @@ For detailed configuration information, see [`meta.ensure-fips`](/enterprise_inf
 
 Environment variable: `INFLUXDB_META_ENSURE_FIPS`
 
-#### raft-portal-auth-required {metadata="v1.12.0+"}
-
-Default is `false`.
-
-Require Raft clients to authenticate with server using the
-[`meta-internal-shared-secret`](#meta-internal-shared-secret).
-This requires that all meta nodes are running InfluxDB Enterprise v1.12.0+ and
-are configured with the correct `meta-internal-shared-secret`.
-
-Environment variable: `INFLUXDB_META_RAFT_PORTAL_AUTH_REQUIRED`
-
-#### raft-dialer-auth-required {metadata="v1.12.0+"}
-
-Default is `false`.
-
-Require Raft servers to authenticate Raft clients using the
-[`meta-internal-shared-secret`](#meta-internal-shared-secret).
-This requires that all meta nodes are running InfluxDB Enterprise v1.12.0+, have
-`raft-portal-auth-required=true`, and are configured with the correct
-`meta-internal-shared-secret`.
-
-Environment variable: `INFLUXDB_META_RAFT_DIALER_AUTH_REQUIRED`
-
 -----
 
 ## Data settings
diff --git a/content/enterprise_influxdb/v1/administration/configure/config-meta-nodes.md b/content/enterprise_influxdb/v1/administration/configure/config-meta-nodes.md
index a08c07def..68a1cb908 100644
--- a/content/enterprise_influxdb/v1/administration/configure/config-meta-nodes.md
+++ b/content/enterprise_influxdb/v1/administration/configure/config-meta-nodes.md
@@ -447,6 +447,34 @@ Environment variable: `INFLUXDB_META_ENSURE_FIPS`
 
 [NIST Special Publication 800-132]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
 
+#### raft-portal-auth-required {metadata="v1.12.0+"}
+
+Default is `false`.
+
+Require Raft clients to authenticate with server using the
+[`meta-internal-shared-secret`](#meta-internal-shared-secret).
+This requires that all meta nodes are running InfluxDB Enterprise v1.12.0+ and
+are configured with the correct `meta-internal-shared-secret`.
+
+For maximum security, `raft-dialer-auth-required` should be configured along with `raft-dialer-auth-required`.
+
+Environment variable: `INFLUXDB_META_RAFT_PORTAL_AUTH_REQUIRED`
+
+#### raft-dialer-auth-required {metadata="v1.12.0+"}
+
+Default is `false`.
+
+Require Raft servers to authenticate Raft clients using the
+[`meta-internal-shared-secret`](#meta-internal-shared-secret).
+This requires that all meta nodes are running InfluxDB Enterprise v1.12.0+, have
+`raft-portal-auth-required=true`, and are configured with the correct
+`meta-internal-shared-secret`. For existing clusters, it is recommended to enable `raft-portal-auth-required` and restart
+meta nodes first, then enable `raft-dialer-auth-required` in another step. 
+This will eliminate downtime from Raft authentication mismatches.
+
+Environment variable: `INFLUXDB_META_RAFT_DIALER_AUTH_REQUIRED`
+
+
 ### TLS settings
 
 For more information, see [TLS settings for data nodes](/enterprise_influxdb/v1/administration/config-data-nodes#tls-settings).