[Response Ops][Task Manager] Wait to invalidate API keys until no tasks are using it

[ymao1]

Resolves #243719

Summary

This PR switches to marking API keys used by tasks as ready for invalidation instead of immediately invalidating them. This is done by:

• Creating a new saved object of type api_key_to_invalidate that contains the apiKeyId of the API key to invalidate (does not contain the API key itself)
• Creating a new recurring background task that queries for api_key_to_invalidate saved objects. When it finds an API key ID, it queries for any existing tasks that may still be using it and does not invalidate if there are any tasks that need it.

There is an alerting task that does the same things for API keys created by alerting rules. In the future, we will move alerting rule API key management to task manager and we can remove the duplicate task.

Verify

• Verify that the workflow scenario from [Response Ops][Task Manager] Should not invalidate API key for task if it is being used by another task #243719 (comment) no longer fails.
• After verifying the scenario, you can go see the API keys at https://localhost:5601/app/management/security/api_keys. You should see the API key created for the workflow. After 1 hour, that API key should be invalidated and gone from the list.

[github-actions]

🔍 Preview links for changed docs

• docs/extend/plugin-list.md

[ymao1]

@elasticmachine run docs-build

[ymao1]

Moved all of these functions to the task manager plugin so they can be reused by both tasks.

[ymao1]

Due to circular dependency issues, we cannot have the task manager plugin depend on the security plugin, so we have to use this sidecar plugin in order to use security functions within task manager.

[ymao1]

Same as alerting, we introduce a removal delay to remove the possibility of race conditions between the task that's being deleted and any other child tasks that may be scheduled using the same API key.

[ymao1]

Reducing the removal delay for testing

[ymao1]

Updated this test that previously checked whether the API key was deleted after a task was run. Now it checks that the API key is still there an an api_key_to_invalidate SO is created. Then it manually triggers the invalidate API key task and checks that the API key is deleted after that.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[jbudz]

src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker LGTM

[ymao1]

@elasticmachine merge upstream

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 8b0cafc

Failed CI Steps

• FTR Configs #24
• FTR Configs #60

Test Failures

• [job] [logs] FTR Configs #24 / Alerting builtin alertTypes es_query rule runs correctly: threshold on ungrouped hit count < > for esQuery search type
• [job] [logs] FTR Configs #60 / Alerting bulkDisable should bulk disable and untrack

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
taskManager	74	76	+2

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
taskManager	9	10	+1

Unknown metric groups

API count

id	before	after	diff
taskManager	120	122	+2

References to deprecated APIs

id	before	after	diff
taskManagerDependencies	0	2	+2

History

• 💔 Build #368014 failed 9f461b5
• 💔 Build #367859 failed d3f0ceb
• 💔 Build #367633 failed a15bd8d
• 💔 Build #367442 failed ca46845
• 💔 Build #367440 failed e74e0c5

cc @ymao1