The plan is to run ES/Kibana on Docker/Kubernetes and we would like to automate as much as possible and the other main point is that we would like to not use passwords if possible and instead opt for PKI realm. Reason for the latter being strict rules when it comes to using any passwords that we would like to simply avoid and go for PKI.
So unless I am mistaken when installing and configuring ES, all security related settings (xpack.security.* inside elasticsearch.yml) require valid license upfront. And again I believe in order to install the license we would need to [PUT] /_license which requires a valid user like elastic to have a password. I don't think we can use the bootstrap password for anything like this.
The other way around would be if the bin/elasticsearch-setup-passwords script is able to setup password only for specific user. This would allow us to deal with a single user/password only, again from first paragraph, trying to reduce number of users outside of PKI to the minimum necessary.