[Breaking change] Forbid using elasticsearch.ssl.certificate without elasticsearch.ssl.key and vice versa

[legrego]

Change description

Which release will ship the breaking change?

8.0 (Edit Joe 9/1/21: this is deprecated but we are not sure when we will break it)

Describe the change. How will it manifest to users?
Starting in 8.0, we should prevent Kibana from starting if elasticsearch.ssl.certificate without elasticsearch.ssl.key and vice versa. This configuration will not enable TLS client authentication to Elasticsearch, and is unsupported.

Starting in 7.6, we're warning the user via deprecation logs (see #54392), so we are safe to enforce this in 8.0 after properly documenting it as a breaking change.

How many users will be affected?

What can users do to address the change manually?

Update their kibana.yml to either remove the offending setting, or add the missing setting (depending on their intent).

How could we make migration easier with the Upgrade Assistant?

I don't think this is something that warrants a custom UI, but having the deprecation warning appear in the UA would be beneficial.

Are there any edge cases?

Test Data

Provide test data. We can’t build a solution without data to test it against.

Cross links

Cross-link to relevant Elasticsearch breaking changes.

• Original Kibana issue: Improve warning when using elasticsearch.ssl.certificate without elasticsearch.ssl.key and vice versa #54537

[elasticmachine]

Pinging @elastic/es-ui (Team:Elasticsearch UI)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[alisonelizabeth]

I'm going to remove the Elasticsearch UI team label. This deprecation should be registered by the plugin owner via the core deprecations service (#94845). All registered deprecations will be displayed in the Upgrade Assistant (to be implemented via #97159). Feel free to reach out to myself or the core team with any questions!