Add the Enroll Kibana API

[jkakavas]

This change adds the Enroll Kibana API that allows a kibana instance to
configure itself to communicate with a secured elasticsearch cluster

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[jkakavas]

CC @azasypkin

[BigPandaToo]

Added few comments, mostly nit. Feel free to merge after you addressing them

[BigPandaToo]

Left few comments and suggestions

[BigPandaToo]

LGTM

[albertzaharovits]

I've left a couple of points. They need to be addressed before merging.
Nonetheless I have approved. Do ping me if there's anything I should clarify.

[albertzaharovits]

Only if it is irking you as well, I would prefer using Enroll rather than Enrollment, when possible.

[jkakavas]

will do, no worries

[albertzaharovits]

I personally prefer a different origin, but this is by no means something I would hold this PR for. We've been very lax about origins.

[albertzaharovits]

Publish address only exposes a single address (per node). Hopefully the one reachable from Kibana (but no way to tell for sure).

It is safer to show all the addresses, but that is not possible if we must also support binding to 0.0.0.0 (ie instead of showing publish addresses we can show bind addresses, but bind can be 0.0.0.0 which is not routable).

So there is no perfect solution. I would choose to show bind addresses because the setup script won't use 0.0.0.0. Your call.

[jkakavas]

Good catch. I didn't think this through as much as I should have

I would choose to show bind addresses because the setup script won't use 0.0.0.0

The only problem with this is docker where we bind on 0.0.0.0 actually. I 'll think this through on Monday and get back with a suggestion

[jkakavas]

Thought this through a little more:

• Kibana already can communicate with an ES node ( it just sent us a request ). The idea here is that we return the http addresses for other nodes so that it might connect to other nodes if it wants/needs.
• bind_address is always 0.0.0.0 in docker

I think publish_address is an appropriate compromise for this. We can, however, get bind_address and return those unless it is 0.0.0.0, when we would fallback to publish_address.

@azasypkin , @legrego ping for visibility and feedback.

[legrego]

It sounds like publish address is what we would want here. While there are no guarantees that Kibana will be able to reach ES at that address, the docs claim that the publish address must be reachable by all clients (if I understand correctly).

I'm not opposed to also including the bind address in the response if it's not 0.0.0.0, however.

[azasypkin]

Same here, returning of publish_address or publish_address + bind_address[] (excluding 0.0.0.0) sounds like a reasonable approach to me.

[lockewritesdocs]

Added some suggestions for updates to the Enroll Kibana API doc page.

[lockewritesdocs]

Suggested change

	* You must have the `enroll` <<privileges-list-cluster,cluster privilege>> to use this API.

[lockewritesdocs]

I think that this privilege is the same as the enroll node API.

[jkakavas]

We are not adding the named privilege after all, but thanks this reminds me to remove the reference from the enroll node API !

[lockewritesdocs]

Suggested change

	<1> The password for the `kibana_system` user
	<1> The password for the `kibana_system` user.

[jkakavas]

@albertzaharovits I've addressed your feedback but 2 points ( getCertificate vs getCertificateChain and bind vs publish address ) which need a little more discussion

[jkakavas]

@albertzaharovits do you want to take another look please and see if something needs to be resolved/discussed more or we should move forward with merging this? 🙏

[jkakavas]

@albertzaharovits do you want to take another look please and see if something needs to be resolved/discussed more or we should move forward with merging this?

We went through remaining points in a zoom.