Auto expand replicas for indices created by Security/SIEM and Ingest Manager

[gbanasiak]

Create indices for Security/SIEM and Ingest Manager with auto-expand replicas set to 0-1 similarly to other Kibana indices to prevent false alarms in test 1-node Elasticsearch deployments.

Security/SIEM:

health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   .items-default-000001             9XS6sCp2RDW3Qu-Ytg0Afw   1   1          0            0       208b           208b
yellow open   .lists-default-000001             _lpXqZyRSjSF7fMK0THZ0w   1   1          0            0       208b           208b
yellow open   .siem-signals-default-000001      DNw28c7qRm6F44MXU_GSJw   1   1          0            0       208b           208b

Ingest Manager:

health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   logs-index_pattern_placeholder    q104NixDRn2QJpwT-jKPrQ   1   1          0            0       208b           208b
yellow open   metrics-index_pattern_placeholder 22HbuRjMQraipkLndVfXLQ   1   1          0            0       208b           208b

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[LeeDr]

FYI, this issue has an enhancement label and a 7.11.0 label. Since we're past FF for 7.11.0 this should move out to 7.12.0.

[Funbit]

It's 7.12 already, but problem is still here and it's pretty annoying :(
Will it be fixed in the next release?

[jen-huang]

@ruflin What do you think about this proposal? I think it would be simple to add this setting to the index templates that Fleet creates?

[ruflin]

Agree, should be simple to add. I wonder if this would have any other side effects?

[wallrik]

One issue I bumped into today with these particular indices is that even after manually setting auto_expand_replicas: "0-1" in each of the index templates, the system templates seem to get overridden at some point... I'm unsure when exactly, but I think it was after I updated to 7.15.0, resulting in the cluster showing unassigned shards yet again.

It would be awesome if all system indices could be auto-expanding to allow single-node tests. 👍

This might actually get some partial love from #111152 so we got that going at least 😁

[kobelb]

Created #139864 to track this request explicitly for the .alerts-* indices.