[DOCS] Adds TLS warning to rolling upgrades (#35841)

docs/reference/setup/bootstrap-checks-xes.asciidoc

@@ -49,6 +49,7 @@ valid. The Distinguished Names (DNs) that are listed in the role mappings files
 must also be valid.
 
 [float]
+[[bootstrap-checks-tls]]
 === SSL/TLS check
 //See TLSLicenseBootstrapCheck.java
 

docs/reference/upgrade/rolling_upgrade.asciidoc

@@ -13,6 +13,11 @@ Upgrading from earlier 5.x versions requires a <<restart-upgrade,
 full cluster restart>>. You must <<reindex-upgrade,reindex to upgrade>> from
 versions prior to 5.x.
 
+WARNING: If the {es} {security-features} are enabled on your 5.x cluster, before
+you can do a rolling upgrade you must encrypt the internode-communication with
+SSL/TLS, which requires a full cluster restart. For more information about this
+requirement and the associated bootstrap check, see <<bootstrap-checks-tls>>.
+
 To perform a rolling upgrade:
 
 . *Disable shard allocation*.