first app shell tutorial fails in "zed permission check" step

[ensonic]

The last part in https://docs.authzed.com/guides/first-app suggests to run 4 command like

zed permission check blog/post:1 read  blog/user:emilia --revision "${ZEDTOKEN}" # true

I take that I am suppose to use the taken here as revision (which I did). I am running a local SpiceDB instance (in minikube).

For the above command I get this error:

Error: rpc error: code = Unavailable desc = last connection error: connection error: desc = "transport: Error while dialing dial tcp 192.168.9.1:50053: connect: connection refused"
Usage:
  zed permission check <resource:id> <permission> <subject:id> [flags]
...

The other terminal running the kubectl port-forward shows that it handled a connection attempt.

Versions:

zed --skip-version-check version
client: zed 0.7.5
service: v1.11.0

Also other commands do work:

zed relationship read 'blog/post'
blog/post:1 reader blog/user:beatrice
blog/post:1 writer blog/user:emilia

[ensonic]

Okay, this is not an issue in the zed util. Also tried the go-lang version of the tutorial and get the same error in this step too.

[ensonic]

t tries to connect to a second port:

kubectl port-forward deployment/dev-spicedb 50051:50051
# in the example "localhost:50051"
go run check.go
2022/11/17 12:51:41 failed to check permission: rpc error: code = Unavailable desc = last connection error: connection error: desc = "transport: Error while dialing dial tcp 192.168.9.1:50053: connect: connection refused"

notice the 192.168.9.1:50053. Checking the serivice shows: grpc:50051►0 dispatch:50053►0 so that's dispatch. Now alos kubectl port-forwarding it, does not help though (tried kubectl port-forward deployment/dev-spicedb 50051:50051 50053:50053)

I've tried running the same code from within the cluster, but run into the same problem.

go build -o app -ldflags "-X main.address=dev:50051" check.go
docker build -t spicedb_test .
docker save -o spicedb_test.tar spicedb_test
ctr -n=k8s.io image import spicedb_test.tar
kubectl run -i --tty spicedb-test --image=docker.io/library/spicedb_test:latest --restart=Never --image-pull-policy=Never

I've found the relevant code
https://github.com/authzed/spicedb/blob/5009a53ac4ecb2f57ef7f6d9ed2444d166a6fa1d/internal/services/v1/permissions.go#L36
but not where it connects to port 50053 yet.

[josephschorr]

The error around port 50053 indicates that the system is trying to dispatch to other nodes within the cluster, but is failing to do so. I suspect your cluster is misconfigured for dispatch. How are you deploying the nodes within Kub?

[ensonic]

I used the spicedb-operator according to the instructions from
https://docs.authzed.com/spicedb/operator
It is a single node cluster (minikube)

on discord it sound I should disable dispatch, but since
https://docs.authzed.com/spicedb/operator#flags does not link to the docs of the cli, I am still hunting down how the flag might be called.

[ensonic]

With some help from discord, I updated to 1.15.0 and still get the same error. Next we disabled dispatch in the config:

spec:
  config:
    datastoreEngine: memory
    image: authzed/spicedb:v1.15.0
    dispatchUpstreamAddr: ""

but still get the error.

[ensonic]

See authzed/spicedb-operator#111

[vroldanbet]

@ensonic I'd suggest closing this issue as it's not a problem specific to zed, but a problem with the operator.

[ensonic]

Makes sense.

[vroldanbet]

Fix for problem here reported at authzed/spicedb-operator#112