commit 0c2801516b5191472bd4bc1a07ab6f414a805b27
author Serge Bazanski <serge@monogon.tech> Mon Feb 05 14:33:19 2024 +0100
committer Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree ddcffa8351f934c0a7066a6341b8bc6888e90ab3
parent ad86a55c9c507478e2c4989f50912d7869164066

m/n/core/rpc: limit API footgun availability

This unifies the interface of the
New{Ephemeral,Authenticated}Credentials calls. They now use the same set
of CredentialsOpt options which allows both calls to request a
particular verification of the remote side of the connection.
NewEphemeralCredentials also now requires an explicit WantInsecure
option which surfaces attempts to dial the cluster without CA/node
verification.

Change-Id: Ibb65cb0952f6ff2092a3f55fe1c5a31bd2b72b36
Reviewed-on: https://review.monogon.dev/c/monogon/+/2741
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

cloud/bmaas/server/agent_callback_service_test.go

diff --git a/cloud/bmaas/server/agent_callback_service_test.go b/cloud/bmaas/server/agent_callback_service_test.go
index 3bd3df9..4a3a9f4 100644
--- a/cloud/bmaas/server/agent_callback_service_test.go
+++ b/cloud/bmaas/server/agent_callback_service_test.go
@@ -58,7 +58,7 @@
 	}
 
 	heartbeat := func(mid uuid.UUID) error {
-		creds, err := rpc.NewEphemeralCredentials(priv, nil)
+		creds, err := rpc.NewEphemeralCredentials(priv, rpc.WantInsecure())
 		if err != nil {
 			t.Fatalf("could not generate ephemeral credentials: %v", err)
 		}
@@ -136,7 +136,7 @@
 	}
 
 	heartbeat := func(mid uuid.UUID, report *apb.OSInstallationReport) (*apb.AgentHeartbeatResponse, error) {
-		creds, err := rpc.NewEphemeralCredentials(priv, nil)
+		creds, err := rpc.NewEphemeralCredentials(priv, rpc.WantInsecure())
 		if err != nil {
 			t.Fatalf("could not generate ephemeral credentials: %v", err)
 		}