m/n/core/rpc: limit API footgun availability This unifies the interface of the New{Ephemeral,Authenticated}Credentials calls. They now use the same set of CredentialsOpt options which allows both calls to request a particular verification of the remote side of the connection. NewEphemeralCredentials also now requires an explicit WantInsecure option which surfaces attempts to dial the cluster without CA/node verification. Change-Id: Ibb65cb0952f6ff2092a3f55fe1c5a31bd2b72b36 Reviewed-on: https://review.monogon.dev/c/monogon/+/2741 Tested-by: Jenkins CI Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

commit: 0c2801516b5191472bd4bc1a07ab6f414a805b27 [log] [tgz]
author: Serge Bazanski <serge@monogon.tech> Mon Feb 05 14:33:19 2024 +0100
committer: Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree: ddcffa8351f934c0a7066a6341b8bc6888e90ab3
parent: ad86a55c9c507478e2c4989f50912d7869164066 [diff] [blame]
diff --git a/metropolis/test/launch/cluster/cluster.go b/metropolis/test/launch/cluster/cluster.go
index 1066d4d..06b928b 100644
--- a/metropolis/test/launch/cluster/cluster.go
+++ b/metropolis/test/launch/cluster/cluster.go

@@ -580,7 +580,7 @@
 func firstConnection(ctx context.Context, socksDialer proxy.Dialer) (*tls.Certificate, *NodeInCluster, error) {
 	// Dial external service.
 	remote := fmt.Sprintf("10.1.0.2:%s", node.CuratorServicePort.PortString())
-	initCreds, err := rpc.NewEphemeralCredentials(InsecurePrivateKey, nil)
+	initCreds, err := rpc.NewEphemeralCredentials(InsecurePrivateKey, rpc.WantInsecure())
 	if err != nil {
 		return nil, nil, fmt.Errorf("NewEphemeralCredentials: %w", err)
 	}
commit	0c2801516b5191472bd4bc1a07ab6f414a805b27	[log] [tgz]
author	Serge Bazanski <serge@monogon.tech>	Mon Feb 05 14:33:19 2024 +0100
committer	Serge Bazanski <serge@monogon.tech>	Thu Feb 08 11:10:07 2024 +0000
tree	ddcffa8351f934c0a7066a6341b8bc6888e90ab3
parent	ad86a55c9c507478e2c4989f50912d7869164066 [diff] [blame]