validation: option to bypass

config/options.go

@@ -300,6 +300,8 @@ type Options struct {
 	AuditKey *PublicKeyEncryptionKeyOptions `mapstructure:"audit_key"`
 
 	BrandingOptions httputil.BrandingOptions
+
+	DisableValidation bool
 }
 
 type certificateFilePair struct {
@@ -577,6 +579,10 @@ func bindEnvsRecursive(t reflect.Type, v *viper.Viper, keyPrefix, envPrefix stri
 
 // Validate ensures the Options fields are valid, and hydrated.
 func (o *Options) Validate() error {
+	if o.DisableValidation {
+		return nil
+	}
+
 	ctx := context.TODO()
 	if !IsValidService(o.Services) {
 		return fmt.Errorf("config: %s is an invalid service type", o.Services)

internal/databroker/config_source.go

@@ -101,9 +101,12 @@ func (src *ConfigSource) rebuild(ctx context.Context, firstTime firstTime) {
 	ids := maps.Keys(src.dbConfigs)
 	sort.Strings(ids)
 
-	certsIndex := cryptutil.NewCertificatesIndex()
+	var certsIndex *cryptutil.CertificatesIndex
-	for _, cert := range cfg.Options.GetX509Certificates() {
+	if !cfg.Options.DisableValidation {
-		certsIndex.Add(cert)
+		certsIndex = cryptutil.NewCertificatesIndex()
+		for _, cert := range cfg.Options.GetX509Certificates() {
+			certsIndex.Add(cert)
+		}
 	}
 
 	// add all the config policies to the list

pkg/cryptutil/certificates_index.go

@@ -34,6 +34,10 @@ func (c *CertificatesIndex) Add(cert *x509.Certificate) {
 
 // OverlapsWithExistingCertificate returns true if the certificate overlaps with an existing certificate.
 func (c *CertificatesIndex) OverlapsWithExistingCertificate(cert *x509.Certificate) (bool, string) {
+	if c == nil {
+		return false, ""
+	}
+
 	usage := getCertUsage(cert)
 	for _, name := range cert.DNSNames {
 		if c.match(name, usage) {