If my analysis is correct, I need to get the root CA used to sign the TLS cert given to SpiceDB (generated by cert manager) on my local machine before making zed initiating the calls