[BUG][opensearch] CrashLoop when keystore secret has no data

[hobti01]

Describe the bug When a keystore secret is configured and it does not have any entries, the shell script incorrectly attempts to import a non-existent file due to fileglobbing.

To Reproduce Steps to reproduce the behavior:

1. Create a Kubernetes Secret with no data

   apiVersion: v1
   kind: Secret
   metadata:
   name: opensearch-keystore
   type: Opaque
   data: {}

2. Configure a keystore secret

   keystore:
   - secretName: opensearch-keystore

3. Deploy the chart and observe CrashLoop from the keystore init container. Logs:

   Created opensearch keystore in /usr/share/opensearch/config/opensearch.keystore
   Adding file /tmp/keystoreSecrets/*/* to keystore key *
   ERROR: File [/tmp/keystoreSecrets/*/*] does not exist

Expected behavior No CrashLoop

Chart Name opensearch

Screenshots N/A

Host/Environment (please complete the following information):

• Helm Version: 3.11.3
• Kubernetes Version: 1.23.17

Additional context N/A

[zelinh]

[Triage] @hobti01 What is the cause/use case of creating an empty keystore? @prudhvigodithi

[hobti01]

I propose there are two issues here:

1. The shell script code is naive. This is a common shell/bash gotcha with globs that it tries a literal match when no files match. It should simply be written to work as intended.
2. In real-world scenarios the script fails

In order to add sensitive data a Secret must exist before deploying the chart.

There may be several cases where the Secret has no data:

• could be synchronized with a secret manager and is before the sync
• sensitive data is conditional based on any other business or operational reason
• Our immediate case: We create the secret from a Helm Chart and if there is no sensitive data for the Secret, it still must be deployed since it is required by the opensearch Helm Chart. Reconfiguring the sensitive data in addition to manually enabling or disabling the keystore secret is unmaintainable.