diff --git a/doc/source/discussion/components.rst b/doc/source/discussion/components.rst
index bde69e60e2..e00c84ddcb 100644
--- a/doc/source/discussion/components.rst
+++ b/doc/source/discussion/components.rst
@@ -183,7 +183,7 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
 
 .. attr:: zookeeper
 
-   Client connection information for ZooKeeper
+   Client connection information for ZooKeeper.  TLS is required.
 
    .. attr:: hosts
       :required:
@@ -191,23 +191,26 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
       A list of zookeeper hosts for Zuul to use when communicating
       with Nodepool.
 
+   .. attr:: tls_cert
+      :required:
+
+      The path to the PEM encoded certificate file.
+
+   .. attr:: tls_key
+      :required:
+
+      The path to the PEM encoded key file.
+
+   .. attr:: tls_ca
+      :required:
+
+      The path to the PEM encoded CA certificate file.
+
    .. attr:: session_timeout
       :default: 10.0
 
       The ZooKeeper session timeout, in seconds.
 
-   .. attr:: tls_cert
-
-      If using TLS, the path to the PEM encoded certificate file.
-
-   .. attr:: tls_key
-
-      If using TLS, the path to the PEM encoded key file.
-
-   .. attr:: tls_ca
-
-      If using TLS, the path to the PEM encoded CA certificate file.
-
 .. _scheduler:
 
 Scheduler
diff --git a/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml b/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
new file mode 100644
index 0000000000..89d83f1a0b
--- /dev/null
+++ b/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
@@ -0,0 +1,24 @@
+---
+prelude: >
+  This is the first 4.x release of Zuul.  It requires some deployment
+  changes by operators which have been carefully planned in order to
+  facilitate work on Zuul version 5, which will be the first version
+  of Zuul where every component is fault tolerant and able to scale.
+
+  If you read the release notes for the last 3.x release, you may have
+  already made all of the required changes.  If not, please do so
+  before upgrading to version 4.  Every required change in version 4
+  is optionally supported in 3.19, so it is safe to make these changes
+  and then upgrade.
+
+  Please read all of the notes below, especially in the "Upgrading"
+  section for details.  The primary additional requirements are:
+
+    * TLS ZooKeeper connections
+    * Network connectivity from all components to ZooKeeper
+    * An SQL database
+
+  With these changes in place, it is anticipated that further upgrades
+  to Zuul made in support of the scale-out-scheduler work will be done
+  with minimal disruption in the course of normal releases between
+  version 4 and 5.
diff --git a/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml b/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
index 4f161c64ee..f8c30d04de 100644
--- a/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
+++ b/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
@@ -3,4 +3,5 @@ upgrade:
   - |
     The :attr:`zookeeper` section in ``zuul.conf`` is required for all
     components, and all components must now be able to connect to
-    ZooKeeper.
+    ZooKeeper.  Additionally, TLS is now required for all ZooKeeper
+    connections.  See :ref:`zk-encrypted-connections` for more details.
diff --git a/zuul/cmd/executor.py b/zuul/cmd/executor.py
index 1e9af792b8..343aa44e1a 100755
--- a/zuul/cmd/executor.py
+++ b/zuul/cmd/executor.py
@@ -98,12 +98,15 @@ class Executor(zuul.cmd.ZuulDaemonApp):
         self.start_log_streamer()
 
         zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
         if not zookeeper_hosts:
             raise Exception("The zookeeper hosts config value is required")
         zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
         zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
         zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
         zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                               'session_timeout', 10.0))
         zk_client.connect(
diff --git a/zuul/cmd/fingergw.py b/zuul/cmd/fingergw.py
index abc8c3bef4..43920315ff 100644
--- a/zuul/cmd/fingergw.py
+++ b/zuul/cmd/fingergw.py
@@ -74,12 +74,15 @@ class FingerGatewayApp(zuul.cmd.ZuulDaemonApp):
         ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')
 
         zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
         if not zookeeper_hosts:
             raise Exception("The zookeeper hosts config value is required")
         zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
         zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
         zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
         zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                               'session_timeout', 10.0))
         zk_client.connect(
diff --git a/zuul/cmd/merger.py b/zuul/cmd/merger.py
index e21da91b9c..dc048ba10c 100755
--- a/zuul/cmd/merger.py
+++ b/zuul/cmd/merger.py
@@ -54,12 +54,15 @@ class Merger(zuul.cmd.ZuulDaemonApp):
         self.setup_logging('merger', 'log_config')
 
         zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
         if not zookeeper_hosts:
             raise Exception("The zookeeper hosts config value is required")
         zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
         zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
         zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
         zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                               'session_timeout', 10.0))
         zk_client.connect(
diff --git a/zuul/cmd/scheduler.py b/zuul/cmd/scheduler.py
index e9593e5610..35392696cb 100755
--- a/zuul/cmd/scheduler.py
+++ b/zuul/cmd/scheduler.py
@@ -139,12 +139,15 @@ class Scheduler(zuul.cmd.ZuulDaemonApp):
         nodepool = zuul.nodepool.Nodepool(self.sched)
 
         zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
         if not zookeeper_hosts:
             raise Exception("The zookeeper hosts config value is required")
         zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
         zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
         zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
         zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                               'session_timeout', 10.0))
         zk_client.connect(