fix(thoth): avoid hairpinning by connecting directly to thoth in the cluster

Signed-off-by: Xe Iaso <me@xeiaso.net>

Author: Xe

cmd/sponsor-panel/internal/thoth/thoth.go

@@ -11,6 +11,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/metadata"
 	adminv1 "xeiaso.net/v4/gen/techaro/thoth/auth/admin/v1"
@@ -25,18 +26,26 @@ type Client struct {
 	AdminUsers adminv1.UsersServiceClient
 }
 
-func New(ctx context.Context, thothURL, apiToken string) (*Client, error) {
+func New(ctx context.Context, thothURL, apiToken string, noTLS bool) (*Client, error) {
 	clMetrics := grpcprom.NewClientMetrics(
 		grpcprom.WithClientHandlingTimeHistogram(
 			grpcprom.WithHistogramBuckets([]float64{0.001, 0.01, 0.1, 0.3, 0.6, 1, 3, 6, 9, 20, 30, 60, 90, 120}),
 		),
 	)
 	prometheus.DefaultRegisterer.Register(clMetrics)
 
+	var transportCreds credentials.TransportCredentials
+
+	switch noTLS {
+	case true:
+		transportCreds = insecure.NewCredentials()
+	case false:
+		transportCreds = credentials.NewTLS(&tls.Config{})
+	}
+
 	conn, err := grpc.NewClient(
 		thothURL,
-		grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{})),
-		//grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithTransportCredentials(transportCreds),
 		grpc.WithChainUnaryInterceptor(
 			timeout.UnaryClientInterceptor(5*time.Minute),
 			clMetrics.UnaryClientInterceptor(),

cmd/sponsor-panel/main.go

@@ -59,8 +59,9 @@ var (
 	patreonFiftyPlus    = flag.String("patreon-fifty-plus", "", "Comma-separated list of Patreon usernames always treated as $50+ sponsors")
 
 	// Thoth settings
-	thothToken = flag.String("thoth-token", "", "Thoth API token (use a god token)")
-	thothURL   = flag.String("thoth-url", "passthrough:///thoth.techaro.lol:443", "URL for the Thoth API server")
+	thothInsecure = flag.Bool("thoth-insecure", false, "if true, connect to thoth without TLS")
+	thothToken    = flag.String("thoth-token", "", "Thoth API token (use a god token)")
+	thothURL      = flag.String("thoth-url", "passthrough:///thoth.techaro.lol:443", "URL for the Thoth API server")
 
 	//go:embed static
 	staticFS embed.FS

docker/patreon-saasproxy.Dockerfile

@@ -11,6 +11,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+RUN apk -U add git
 RUN --mount=type=cache,target=/root/.cache GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -ldflags="-X xeiaso.net/v4.Version=$(git describe --tags --always --dirty)"  -gcflags "all=-N -l" -o /app/bin/patreon-saasproxy ./cmd/patreon-saasproxy
 
 FROM alpine:${ALPINE_VERSION} AS run

docker/sponsor-panel.Dockerfile

@@ -12,7 +12,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
-RUN apk -U add nodejs npm \
+RUN apk -U add git nodejs npm \
   && npm ci \
   && cd ./cmd/sponsor-panel \
   && go generate ./...

manifest/sponsor-panel/deployment.yaml

@@ -37,6 +37,8 @@ spec:
               value: ":4823"
             - name: SLOG_LEVEL
               value: "info"
+            - name: "THOTH_INSECURE"
+              value: "true"
           ports:
             - containerPort: 4823
               name: http