Configure Secure/TLS GRPC with Helm Chart/AWS

Support
1

Description

I am unable to configure GRCP with TLS Security, I am attempting to use AWS load balancer notations and am able to connect using the secure_grcp: False flag, but adding annotations for TLS make it fail. I can’t find guidance anywhere on how to configure GRPC with TLS security.

Server Setup Information

  • Weaviate Server Version: 1.25.6
  • Deployment Method: Helm/k8s/AWS
  • Multi Node? No
  • Client Language and Version: Python v4
  • Multitenancy?: No

Any additional Information

grpcService:
enabled: true
name: weaviate-grpc
ports:
- name: grpc
protocol: TCP
port: 50051
type: LoadBalancer
loadBalancerSourceRanges:
clusterIP:
annotations:
service. beta. kubernetes. io/aws-load-balancer-type: internal
service. beta. kubernetes. io/aws-load-balancer-internal: “true”
service. beta. kubernetes. io/aws-load-balancer-subnets: ${subnets}

I have tried adding the following to add TLS, and control the ALPN policy:

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${acm_certificate_arn}
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred

Error I receive with TLS cert on the end point:

grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = “failed to connect to all addresses; last error: UNKNOWN: ipv4:10.219.217.106:50051: Cannot check peer: missing selected ALPN property.”
debug_error_string = “UNKNOWN:Error received from peer {created_time:“2024-07-24T14:18:48.657627534-07:00”, grpc_status:14, grpc_message:“failed to connect to all addresses; last error: UNKNOWN: ipv4:10.219.217.106:50051: Cannot check peer: missing selected ALPN property.”}”

2

hi @captainmccurry !!

Sorry! Missed this message. :thinking:
Just discovered some messages that went under my radar :frowning:

Hope you were able to solve this already :frowning:

Are you still facing this issue?

Unfortunately we do not have extensive documentation on how to expose Weaviate in different deployments as those can vary a lot.

Bottom line is that you need to expose http and grpc ports.

You can also use tools like grpcurl to check it serving status.

like so:

# lets test our grpc connection
❯ wget https://raw.githubusercontent.com/grpc/grpc/master/src/proto/grpc/health/v1/health.proto
❯ grpcurl -d '{"service": "Weaviate"}' -proto health.proto grpc.weaviate.mydomain.com:50051 grpc.health.v1.Health/Check
{
  "status": "SERVING"
}

there is some discussion around this subject (docker compose + traefik) here:

Let me know if this helps!

Thanks!