tsnet: require I_Acknowledge_This_API_Is_Experimental to use AuthenticatedAPITransport()

It's not entirely clear whether this capability will be maintained, or in what form, so this serves as a warning to that effect. Updates tailscale/corp#22748 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-04-22 17:01:43 +00:00 · 2025-02-14 15:34:33 -06:00 · 2025-02-14 15:34:33 -06:00 · 052eefbcce
commit 052eefbcce
parent 9ae9de469a
1 changed files with 9 additions and 0 deletions
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@ -946,10 +946,16 @@ func (s *Server) APIClient() (*tailscale.Client, error) {
 	return c, nil
 }

+// I_Acknowledge_This_API_Is_Experimental must be set true to use AuthenticatedAPITransport()
+// for now.
+var I_Acknowledge_This_API_Is_Experimental = false
+
 // AuthenticatedAPITransport provides an HTTP transport that can be used with
 // the control server API without needing additional authentication details. It
 // authenticates using the current client's nodekey.
 //
+// It requires the user to set I_Acknowledge_This_API_Is_Experimental.
+//
 // For example:
 //
 //	import "net/http"
@ -966,6 +972,9 @@ func (s *Server) APIClient() (*tailscale.Client, error) {
 //	    Transport: rt,
 //	}}
 func (s *Server) AuthenticatedAPITransport() (http.RoundTripper, error) {
+	if !I_Acknowledge_This_API_Is_Experimental {
+		return nil, errors.New("use of AuthenticatedAPITransport without setting I_Acknowledge_This_API_Is_Experimental")
+	}
 	if err := s.Start(); err != nil {
 		return nil, err
 	}