Hi Team, we are trying to deploy spicedb operator. we could able to create the cluster and the cluster launched the deployement as well as the service. By default the service is launched via the cluster IP and when we tried accessing the service by creating the ingress endpoint it is creating 502 timeout issue. Then we tried connecting service via the public IP by changing service type to load balancer and we got the error connection refused. and we are seeing the info message in our GCP console. Any help would be appreciated!!! https://cdn.discordapp.com/attachments/844600078948630559/1180080928891084831/image.png?ex=657c1f02&is=6569aa02&hm=7fc879902d71a95bc204f8fa3103fbaa79328f34ecf060c9c811c13f822d4a65& https://cdn.discordapp.com/attachments/844600078948630559/1180080929130156112/image.png?ex=657c1f02&is=6569aa02&hm=98e861edd06b816fe9e04db1a9c93a40c64c5ee109f0fd93c3834063994e3b08&

Hi there, so Ingress with GKE's default controller can be tricky. It doesn't support gRPC health-checking and you have to make sure it is using HTTP/2 with TLS to talk to SpiceDB on the backend. We generally use Project Contour for Ingress. There's an example configuration here: https://github.com/authzed/spicedb-operator/tree/main/examples/cockroachdb-tls-ingress Having said that, a LoadBalancer service should work. I actually just tested that out. I copied the Service created by the operator and changed the type to LoadBalancer and was then able to make a request with:

zed schema read --no-verify-ca --endpoint $LOAD_BALANCER_IP:50051 --token $MY_AUTH_TOKEN

Thank you for the response let me try this and get back incase any issues

@das.broetchen I am colleague of @User . So we tried above approach but it is not working. Here we are getting TLS issue(Handshake Failed Error) Please suggest. https://cdn.discordapp.com/attachments/1180080929302138890/1181464918977941584/image.png?ex=658127f3&is=656eb2f3&hm=c63794dfb133df6dfbec438d3abd8a9d79ab85e974d0030398630554e4046ccc&

That looks to me like the load-balancer is not configured to serve TLS. Are you using a Service of type LoadBalancer, or Project Contour, or something else? If everything else is routing properly, but the load-balancer isn't serving TLS, you may be able to connect with the

--insecure

flag to

zed

-- but only as a test, you should of course use TLS end-to-end in production.

@das.broetchen We are using loadbalancer launch through nginx ingress. its having tls configured. *.domanin.com is the certificate being issued for. where as we tried to expose spicedb service lauched as cluster ip through path based route . Please suggest https://cdn.discordapp.com/attachments/1180080929302138890/1181566172102148136/image.png?ex=6581863f&is=656f113f&hm=8a2f8c65c891d3536dc9ec97008e2a4c0e5a1454c51f12844df5b6f6550be458& https://cdn.discordapp.com/attachments/1180080929302138890/1181566172370579547/image.png?ex=6581863f&is=656f113f&hm=a343baf574e77269101373f61c7610a70b32f032a7c1843a31e8b1809f3f4108&

Sorry, I'm not sure there's enough information here to really say where the problem is. I can say that

zed

will be reaching out to SpiceDB using gRPC, so the Ingress will need to route those requests to SpiceDB's gRPC port (

50051

) and the nginx-ingress controller needs to be configured to also use gRPC -- part of that is adding the

nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

annotation. I don't have much experience with using nginx for this unfortunately. See: https://kubernetes.github.io/ingress-nginx/examples/grpc/

@das.broetchen we tried this above configuration and it worked. Thank you so much

Awesome! Glad to hear that. I'll close this thread then.