https://authzed.com logo
Join Discord
Powered by
are you using the Insecure flag on the
# spicedb
j
are you using the Insecure flag on the client?
s
I did at first but received another error, now I just pass 
PRESHARED_KEY
and url
j
you need to check if you have TLS configured on your cluster
if not, then you need to use the insecure flag
if so, make sure it has a valid cert
s
Ah, thanks! We don't have TLS configured. I get this now:
Copy code
'invalid preshared key: rpc error: code = Unauthenticated desc = Request unauthenticated with bearer',
found this thread https://github.com/authzed/authzed-py/issues/89#issuecomment-1718705926 And it seems like it doesn't pass thet preshared key when insecure?
j
if you're using Python, you need a special client
s
We have Node
@authzed/authzed-node ^1.2.3"
j
s
I might be an idiot here, but do I need a token from authzed dashboard when I use open source? 😄
j
no
you use the token from the Helm chart
s
SPICEDB_GRPC_PRESHARED_KEY:        <set to the key 'preshared_key' in secret 'preview-pr7488-backend-spicedb-shared-config'>  Optional: false
this is what I have on the spice db managed by operator, and I have verified that it's the same secret that the backend uses
any ideas?
is it a problem that my URL is not localhost:50051 ?
j
what does your config look like?
for the client
s
Copy code
ts
v1.NewClient(
    env.SPICEDB_GRPC_PRESHARED_KEY,
    datastoreUrls[tenant], // "preview-pr7488-backend-spicedb-shared.svc.cluster.local:50051"
    v1.ClientSecurity.INSECURE_LOCALHOST_ALLOWED,
  )
Copy code
ts
const spiceDBCluster = new k8s.apiextensions.CustomResource(
      name,
      {
        apiVersion: 'authzed.com/v1alpha1',
        kind: 'SpiceDBCluster',
        metadata: {
          name,
          namespace,
        },
        spec: {
          config: {
            datastoreEngine: 'postgres',
            datastoreURI,
            logLevel,
            replicas: replicas.toString(),
            image: 'legoraregistry.azurecr.io/authzed/spicedb',
          },
          secretName: configSecret.metadata.name,
        },
      },
      { parent: this },
    );
this the resource definition
Copy code
ts
    new k8s.helm.v3.Release(
      'spicedb-operator',
      {
        namespace: coreNamespace.metadata.name,
        repositoryOpts: {
          repo: 'https://bushelpowered.github.io/spicedb-operator-chart',
        },
        chart: 'spicedb-operator',
        version: '2.0.0',
        values: {
          image: {
            repository: pulumi.interpolate`${registry}/authzed/spicedb-operator`,
            pullPolicy: 'IfNotPresent',
          },
          installCRDs: true,
          ...getPodSpecForNodePool(NodePool.SYSTEM),
        },
      },
      { parent: this, protect: true },
    );
j
yeah 
INSECURE_LOCALHOST_ALLOWED
only works for localhost
you'll need to pick the other insecure option
s
Ah! the 
INSECURE_PLAINTEXT_CREDENTIALS
, Is there anything else I need to configure when using this option?
j
INSECURE_PLAINTEXT_CREDENTIALS
nope
just be aware it is insecure
so don't use it for anything real
s
omg thanks! It works now!!! ❤️
j
excellent
c
I'm not sure if this is a helpful place to add feedback, but this question and its answers put our entire project back on track after being derailed by our pilot project not being able to connect to local orbstack docker container (orbstack uses 
*.orb.local
DNS by default for containers). I think it would be very beneficial to future visitors to add 
v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS
as the default security setting for documentation that is meant for developers who are trialing spicedb locally.
(The critical point is that although "INSECURE_LOCALHOST_ALLOWED" may appear to self-document that it is for localhost only, there are so many variables in an initial docker setup, that it is not obvious to newcomers that this is the key piece.)
j
mind filing an issue?
or feel free to issue a PR 🙂
c
BTW thanks for making this Discord channel content google searchable via linen! I probably would have been googling for much longer without that 😄
j
of course
PreviousNext
Powered by