Encrypting elasticsearch traffic requires the creation of SSL certificates / keys / signatures / ... Technically, this is the job of a PKI. We have at least 2 PKIs already in place: Puppet and a specific one built for Cassandra (https://github.com/wikimedia/operations-puppet/blob/production/modules/cassandra/files/cassandra-ca-manager).
It is fairly easy to use the existing Puppet PKI to generate slightly more complex certificates (https://wikitech.wikimedia.org/wiki/Puppet#SANs_for_puppet_certs).
Puppet certs are already used by k8s (https://github.com/wikimedia/operations-puppet/blob/production/modules/k8s/manifests/ssl.pp) and etcd (https://github.com/wikimedia/operations-puppet/blob/production/modules/etcd/manifests/ssl.pp). Some refactoring would be welcomed to not duplicate the same code a 3rd time.