m/pkg/pki: forbid External/Managed certificates without name
This ensures any stored certificates must have a name set - otherwise
they end up being created with an empty string as a name, and end up
colliding with eachother.
Change-Id: I9e415b6ff89dbda179526920d58e33e638a28cec
Reviewed-on: https://review.monogon.dev/c/monogon/+/286
Reviewed-by: Mateusz Zalega <mateusz@monogon.tech>
diff --git a/metropolis/pkg/pki/certificate.go b/metropolis/pkg/pki/certificate.go
index 4ec3bf0..e7788b1 100644
--- a/metropolis/pkg/pki/certificate.go
+++ b/metropolis/pkg/pki/certificate.go
@@ -177,6 +177,14 @@
return nil, fmt.Errorf("invalid certificate mode %v", c.Mode)
}
+ if c.Name == "" {
+ if c.Mode == CertificateExternal {
+ return nil, fmt.Errorf("external certificate must have name set")
+ } else {
+ return nil, fmt.Errorf("managed certificate must have name set")
+ }
+ }
+
certPath := c.Namespace.etcdPath("%s-cert.der", c.Name)
// Try loading certificate from etcd.