kibana 7.9.0 docker won't read elasticsearch.password from keystore

[LeeDr]

Kibana version: 7.9.0 (BC1 and BC2)

Elasticsearch version: 7.9.0 (BC1 and BC2)

Server OS version: docker

Browser version:

Browser OS version:

Original install method (e.g. download page, yum, from source, etc.): docker images

Describe the bug: If I put elasticsearch.password in the kibana.yml file kibana starts up fine. But using the keystore it fails to start with a message that seems to indicate it isn't getting the password from the keystore missing authentication credentials;

Steps to reproduce:

1. my kibana.yml contains;

# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: "0"
elasticsearch.hosts: https://elasticsearch:9200
# elasticsearch.password is stored in `kibana.keystore`
elasticsearch.username: kibana
elasticsearch.ssl.certificateAuthorities: ["/certs/ssl/ca/ca.crt"]
server.ssl.enabled: false
#server.ssl.certificate: /certs/ssl/docker-cluster/kibana/kibana.crt
#server.ssl.key: /certs/ssl/docker-cluster/kibana/kibana.key
xpack.monitoring.ui.container.elasticsearch.enabled: true

# Point to the Telemetry Staging cluster
telemetry.url: https://telemetry-staging.elastic.co/xpack/v2/send
telemetry.optInStatusUrl: https://telemetry-staging.elastic.co/opt_in_status/v2/send

2. a script creates the keystore and sets the elasticsearch.password like this;

echo "$ELASTIC_PASSWORD" | /usr/share/kibana/bin/kibana-keystore add 'elasticsearch.password' -x

3. Those commands appear to work (no errors, expected output);

{}=== CREATE Keystore ===
Created Kibana keystore in /usr/share/kibana/config/kibana.keystore
Setting elasticsearch.password: ***********

4. I can use keystore list and see that elasticsearch.password is in the keystore

Expected behavior: Kibana should use elasticsearch.password (or any parameters) from the keystore

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

{"type":"log","@timestamp":"2020-07-17T17:28:33Z","tags":["warning","plugins","licensing"],"pid":6,"message":"License information could not be obtained from Elasticsearch due to [security_exception] missing authentication credentials for REST request [/_xpack], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", ApiKey, Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"} error"}

Any additional context:

[elasticmachine]

Pinging @elastic/kibana-operations (Team:Operations)

[LeeDr]

My same scripts using the keystore work on 7.8.1 so it is a new regression.

[LeeDr]

According to the PR that fixes this, it doesn't really have anything to do with it being the docker image.