helm-charts
helm-charts copied to clipboard
opensearch-project
[BUG][opensearch] CrashLoop when keystore secret has no data
Describe the bug When a keystore secret is configured and it does not have any entries, the shell script incorrectly attempts to import a non-existent file due to fileglobbing.
To Reproduce Steps to reproduce the behavior:
- Create a Kubernetes Secret with no data
apiVersion: v1
kind: Secret
metadata:
name: opensearch-keystore
type: Opaque
data: {}
- Configure a keystore secret
keystore:
- secretName: opensearch-keystore
- Deploy the chart and observe CrashLoop from the keystore init container. Logs:
Created opensearch keystore in /usr/share/opensearch/config/opensearch.keystore
Adding file /tmp/keystoreSecrets/*/* to keystore key *
ERROR: File [/tmp/keystoreSecrets/*/*] does not exist
Expected behavior No CrashLoop
Chart Name opensearch
Screenshots N/A
Host/Environment (please complete the following information):
- Helm Version: 3.11.3
- Kubernetes Version: 1.23.17
Additional context N/A
[Triage] @hobti01 What is the cause/use case of creating an empty keystore? @prudhvigodithi
I propose there are two issues here:
- The shell script code is naive. This is a common shell/bash gotcha with globs that it tries a literal match when no files match. It should simply be written to work as intended.
- In real-world scenarios the script fails
In order to add sensitive data a Secret must exist before deploying the chart.
There may be several cases where the Secret has no data:
- could be synchronized with a secret manager and is before the sync
- sensitive data is conditional based on any other business or operational reason
- Our immediate case: We create the secret from a Helm Chart and if there is no sensitive data for the Secret, it still must be deployed since it is required by the opensearch Helm Chart. Reconfiguring the sensitive data in addition to manually enabling or disabling the keystore secret is unmaintainable.