Support setting up Kibana spaces declaratively.

[scbjans]

Proposal

Support setting up Kibana spaces declaratively.

Use case. Why is this important?

Using ECK it is possible to set up custom users and roles using file realm.

When a role is restricted to a specific Kibana Space; the space still has to be created manually.
Once the space is created, the user (mapped to that role) can be used.

It would be helpful if Kibana spaces can be configured using a spaces.yml file (similar to custom roles in roles.yml)

[thbkrkr]

Somewhat related to elastic/cloud-on-k8s#3598 but for Kibana, if spaces were created using the Kibana Spaces API.

[thbkrkr]

It would be helpful if Kibana spaces can be configured using a spaces.yml file (similar to custom roles in roles.yml)

It would be necessary to start by having the feature in Kibana so that ECK can use it, which is not the case currently. AFAIK there is currently only an HTTP API to manage Spaces.

Let's move the issue to discuss with the Kibana team to see if this is something that might make sense.

[oneingan]

Related elastic/terraform-provider-elasticstack#100

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

I have a couple of questions around expected functionality:

1. Would the presence of file-based spaces prevent users from creating/updating/deleting spaces via the UI? Or would it mark the file-based spaces as "readonly", and allow for the creation of other spaces via UI?
2. What happens when a space is removed from the file? Should we delete the space, and all associated saved objects?
3. I'd expect we would need to document the fact that file-based spaces need to be kept in sync across all Kibana instances -- a mismatch here would leave Kibana in a non-deterministic state. Do you agree?

[scbjans]

From a functional point of view I would expect it to work similarly to the already existing roles.yml. I'm not sure how my below answers fit to that, but for the sake of standardization, I think resembling roles.yml should be prioritized more than my answers.

My $0.02:

1. I would expect all spaces will be managed through spaces.yml; so creating/updating/deleting spaces via the UI should not be possible.
2. From a declarative point of view, I think deleting a space from the file, should also remove the space and it's associated objects.
3. This issue was created particularly for use with ECK. Since I think it will probably be mounted as a secret (just like when defining roles declaratively), kubernetes will make sure it's in sync between all pods. I'm not sure how it will behave in other cases.