Address feedback from code review

Also changed readPkcs12Keystore to determine which end-entity key
and cert to return based on if they have a matching public key. The
old behavior would simply return the first key and cert as the EE
key and cert.

Author: jportner

docs/setup/settings.asciidoc

@@ -88,8 +88,8 @@ including requests that are proxied for end users. Setting this to `true` when E
 lead to proxied requests for end users being executed as the identity tied to the configured certificate.
 
 `elasticsearch.ssl.certificate:` and `elasticsearch.ssl.key:`:: Paths to a PEM-encoded X.509 certificate and its private key, respectively.
-When `xpack.security.http.ssl.client_authentication` in Elasticsearch is set to `required`, the certificate and key are used to prove
-Kibana's identity when it makes an outbound request to your Elasticsearch cluster.
+When `xpack.security.http.ssl.client_authentication` in Elasticsearch is set to `required` or `optional`, the certificate and key are used
+to prove Kibana's identity when it makes an outbound request to your Elasticsearch cluster.
 +
 --
 NOTE: These settings cannot be used in conjunction with `elasticsearch.ssl.keystore.path`.
@@ -104,10 +104,10 @@ be specified via `elasticsearch.ssl.keystore.path` and/or `elasticsearch.ssl.tru
 `elasticsearch.ssl.key`. This value is optional, as the key may not be encrypted.
 
 `elasticsearch.ssl.keystore.path:`:: Path to a PKCS #12 file that contains an X.509 certificate with its private key. When
-`xpack.security.http.ssl.client_authentication` in Elasticsearch is set to `required`, the certificate and key are used to prove Kibana's
-identity when it makes an outbound request to your Elasticsearch cluster. If the file contains any additional certificates, those will be
-used as a trusted certificate chain for your Elasticsearch cluster. This chain is used to establish trust when Kibana creates an SSL
-connection with your Elasticsearch cluster. In addition to this setting, trusted certificates may be specified via
+`xpack.security.http.ssl.client_authentication` in Elasticsearch is set to `required` or `optional`, the certificate and key are used to
+prove Kibana's identity when it makes an outbound request to your Elasticsearch cluster. If the file contains any additional certificates,
+those will be used as a trusted certificate chain for your Elasticsearch cluster. This chain is used to establish trust when Kibana creates
+an SSL connection with your Elasticsearch cluster. In addition to this setting, trusted certificates may be specified via
 `elasticsearch.ssl.certificateAuthorities` and/or `elasticsearch.ssl.truststore.path`.
 +
 --

src/core/server/elasticsearch/elasticsearch_config.test.ts

@@ -257,6 +257,16 @@ describe('throws when config is invalid', () => {
     );
   });
 
+  it('throws if keystore does not contain a key or certificate', () => {
+    mockReadPkcs12Keystore.mockReturnValueOnce({});
+    const value = { ssl: { keystore: { path: 'some-path' } } };
+    expect(() =>
+      createElasticsearchConfig(config.schema.validate(value))
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"Did not find key or certificate in Elasticsearch keystore."`
+    );
+  });
+
   it('throws if truststore path is invalid', () => {
     const value = { ssl: { keystore: { path: '/invalid/truststore' } } };
     expect(() =>

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -232,23 +232,21 @@ export class ElasticsearchConfig {
     let certificateAuthorities: string[] | undefined;
     const addCAs = (ca: string[] | undefined) => {
       if (ca && ca.length) {
-        certificateAuthorities = certificateAuthorities ? certificateAuthorities.concat(ca) : ca;
+        certificateAuthorities = [...(certificateAuthorities || []), ...ca];
       }
     };
 
     if (rawConfig.ssl.keystore?.path) {
-      const { key: k, cert, ca } = readPkcs12Keystore(
+      const keystore = readPkcs12Keystore(
         rawConfig.ssl.keystore.path,
         rawConfig.ssl.keystore.password
       );
-      if (!k && !cert) {
-        log.warn(
-          `Did not find key or certificate in keystore; mutual TLS authentication is disabled.`
-        );
+      if (!keystore.key && !keystore.cert) {
+        throw new Error(`Did not find key or certificate in Elasticsearch keystore.`);
       }
-      key = k;
-      certificate = cert;
-      addCAs(ca);
+      key = keystore.key;
+      certificate = keystore.cert;
+      addCAs(keystore.ca);
     } else {
       if (rawConfig.ssl.key) {
         key = readFile(rawConfig.ssl.key);