Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / a41caacc71418f7307d851fad95991cf80bdcb41^! / . / metropolis / pkg / pki / certificate.go
commita41caacc71418f7307d851fad95991cf80bdcb41[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Thu Aug 12 17:00:55 2021 +0200
committerSergiusz Bazanski <serge@monogon.tech>Thu Aug 19 10:20:55 2021 +0000
treecbcf9af76f29ccb94b7c2b94d75f1e8eb39cfb3d
parent5253884d51cb64c1d1afcb2d7b969f7c2b50b302 [diff] [blame]
m/pkg/pki: forbid External/Managed certificates without name

This ensures any stored certificates must have a name set - otherwise
they end up being created with an empty string as a name, and end up
colliding with eachother.

Change-Id: I9e415b6ff89dbda179526920d58e33e638a28cec
Reviewed-on: https://review.monogon.dev/c/monogon/+/286
Reviewed-by: Mateusz Zalega <mateusz@monogon.tech>

diff --git a/metropolis/pkg/pki/certificate.go b/metropolis/pkg/pki/certificate.go
index 4ec3bf0..e7788b1 100644
--- a/metropolis/pkg/pki/certificate.go
+++ b/metropolis/pkg/pki/certificate.go

@@ -177,6 +177,14 @@
 		return nil, fmt.Errorf("invalid certificate mode %v", c.Mode)
 	}
 
+	if c.Name == "" {
+		if c.Mode == CertificateExternal {
+			return nil, fmt.Errorf("external certificate must have name set")
+		} else {
+			return nil, fmt.Errorf("managed certificate must have name set")
+		}
+	}
+
 	certPath := c.Namespace.etcdPath("%s-cert.der", c.Name)
 
 	// Try loading certificate from etcd.