tsnet: require I_Acknowledge_This_API_Is_Experimental to use AuthenticatedAPITransport()

It's not entirely clear whether this capability will be maintained, or in what form,
so this serves as a warning to that effect.

Updates tailscale/corp#22748

Signed-off-by: Percy Wegmann <percy@tailscale.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/tsnet/tsnet.go b/tsnet/tsnet.go
index 6fffa9aff..680825708 100644
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -946,10 +946,16 @@ func (s *Server) APIClient() (*tailscale.Client, error) {
 	return c, nil
 }
 
+// I_Acknowledge_This_API_Is_Experimental must be set true to use AuthenticatedAPITransport()
+// for now.
+var I_Acknowledge_This_API_Is_Experimental = false
+
 // AuthenticatedAPITransport provides an HTTP transport that can be used with
 // the control server API without needing additional authentication details. It
 // authenticates using the current client's nodekey.
 //
+// It requires the user to set I_Acknowledge_This_API_Is_Experimental.
+//
 // For example:
 //
 //	import "net/http"
@@ -966,6 +972,9 @@ func (s *Server) APIClient() (*tailscale.Client, error) {
 //	    Transport: rt,
 //	}}
 func (s *Server) AuthenticatedAPITransport() (http.RoundTripper, error) {
+	if !I_Acknowledge_This_API_Is_Experimental {
+		return nil, errors.New("use of AuthenticatedAPITransport without setting I_Acknowledge_This_API_Is_Experimental")
+	}
 	if err := s.Start(); err != nil {
 		return nil, err
 	}