[Stack monitoring] Do not expose monitoring.ui.elasticsearch configuration to the browser

[smith]

The monitoring.ui.elasticsearch configuration object is exposed to the browser (the whole ui object is exposed in servcer/index.ts.)

The data in this object is needed to connect to the monitoring cluster, but is it necessary to expose this entire object to the browser? It could contain sensitive data about the cluster credentials.

• Determine which keys of browsermonitoring.ui.elasticsearch, if any, are needed in the browser
• Only expose the necessary keys to the browser

[elasticmachine]

Pinging @elastic/infra-monitoring-ui (Team:Infra Monitoring UI)

[klacabane]

Quick lookup shows that we're reading the following values from monitoring.ui in public/plugin.ts:

• enabled
• min_interval_seconds
• show_license_expiration
• container.elasticsearch.enabled
• container.logstash.enabled
• ccs.enabled - ccs_utils.ts

Ideally we'd define a schema with only the nested keys that we want to expose but exposeToBrowser only supports root keys. Implementing nested key support could be an option, I'll look for potential blockers and otherwise alternatives

[smith]

Could we also look at flattening the ones we need and only exposing those as separate config items?

[klacabane]

Yup, since we can update that config at runtime we can create a root object out of the properties required by the UI. We'll have to update the paths where we directly access monitoring.ui.{prop} in the UI code and we should be good, or maybe a proxy could abstract this.
Ability to only define a tree in exposeToBrowser looks more intuitive to me though but let's consider that as a future improvement

[klacabane]

I've opened a feature request to handle recursive definition of the configuration which was taken care of instantly, I'll hold on this PR until the feature is merged