Kibana: Allow-list Task Manager configuration in cloud

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

It probably makes sense to set hard-coded limits on these, in a separate PR. Reason: whitelisting these will be advertising them to some extent, and without limits, I feel like we're shipping a foot-gun.

Just opened issue https://github.com/elastic/kibana/issues/56573 for that, didn't immediately find an existing open issue.

Yup, I was going to do it as part of this issue (2 PRs in one issue) but fair enough, as I didn't actually document that 😬

Task should wait and see if new configuration variables are created by #65552.

@elastic/kibana-alerting-services

It was mentioned that there might be additional task manager configs that we would want exposed in the cloud. Do we have an idea of what they are so they can be rolled into this issue?

++ there's no list of what other configs should be included but it's worth taking a look through our plugins (alerts, actions, event log, task manager, etc) to see if there's anything else you think should be allow-listed on cloud. You can summarize that list in this thread and if you're not sure on one of them, you can add it with a question mark or something.

These are the configurations I've found in our plugins:
xpack.actions.enabled
xpack.actions.allowedHosts --> already in cloud config
xpack.actions.enabledActionTypes --> already in cloud config
xpack.actions.preconfigured
xpack.actions.proxyUrl
xpack.actions.proxyHeaders
xpack.actions.proxyRejectUnauthorizedCertificates
xpack.actions.rejectUnauthorized
xpack.event_log.enabled
xpack.event_log.logEntries
xpack.event_log.indexEntries
xpack.task_manager.enabled
xpack.task_manager.max_attempts
xpack.task_manager.poll_interval --> adding to cloud config in this issue
xpack.task_manager.max_poll_inactivity_cycles
xpack.task_manager.request_capacity
xpack.task_manager.index
xpack.task_manager.max_workers --> adding to cloud config in this issue
xpack.task_manager.monitored_stats_required_freshness
xpack.task_manager.monitored_aggregated_stats_refresh_rate
xpack.task_manager.monitored_stats_running_average_window
xpack.task_manager.monitored_task_execution_thresholds

According to @gmmorris comment here, we may want to expose xpack.task_manager.monitored_task_execution_thresholds

Do we need any of the xpack.actions.proxy* configs in the cloud.

Thoughts?

I don't think any of the xpack.event_log.* configs make sense to enable for cloud. At this point, they're really dev-time settings.

So alerts has no config setting!? (I looked, didn't see any) Awesome!

No opinion on TM settings, other than I feel like maybe exposing the bare minimum right now would be good - poll_interval, max_workers and probably the monitored_* ones. Per https://github.com/elastic/kibana/issues/56478#issuecomment-580966562, I feel like we want to make sure we have some max's set for the TM ones, which would be here: https://github.com/elastic/kibana/blob/d7a78229e4691a09316c42734ed201e9c66571d9/x-pack/plugins/task_manager/server/config.ts#L39-L103

Not opposed to doing it in this PR, since I think we can just add the additional schema options, but we will have to make a decision on the numbers!

For actions, I think the following:

• xpack.actions.proxyUrl
• xpack.actions.proxyHeaders
• xpack.actions.proxyRejectUnauthorizedCertificates
• xpack.actions.rejectUnauthorized

I'd love to allowList xpack.actions.preconfigured (see https://github.com/elastic/kibana/issues/73073), but I believe @peterschretlen has been thinking these preconfigured actions are more like "system installed" actions, hence hiding some of the settings and what-not. I know the previous concern I had was not showing config for these in the UI, and I can still live with that, but wondering what you think (Peter) about allowListing these for cloud?

To summarize the comments I've seen so far, I will be adding:

xpack.task_manager.monitored_task_execution_thresholds
xpack.actions.proxyUrl
xpack.actions.proxyHeaders
xpack.actions.proxyRejectUnauthorizedCertificates
xpack.actions.rejectUnauthorized