I have a question open too about that here:
I really do not want to have a 2nd ingress set up here, infra is much too complex enough already. I might opt for not exposing Zeebe GRPC endpoint over Ingress at all, as it’s something we normally would only access from inside the cluster anyhow. For deploying from Modeler, I’d use port forwarding over kubectl.
But I have not given up yet on setting it up over GKE Ingress because the traffic is reaching my Zeebe-Gateway just fine as long as HTTP/2 is enabled for the backend. The only issue is that Zeebe-Gateway itself does not enable TLS, but GKE Ingress will only use TLS to communicate with HTTP/2 backends and cannot be forced to a unencrypted connection. So the connection fails, as Zeebe expectes non-TLS traffic, but I can see the failing in Zeebe-Gateway logs, so generally the only issue is Zeebe-Gateway here.
There seems to be no possibility to force Zeebe into TLS over Helm charts, except when using Camunda’s ingress settings. But there is documentation that shows it can be set over environment variables too, so I might try that next. But for now I just go with what I have as exposing Zeebe GRPC over Ingress is only a convenience, not necessary.
As for your question on Modeler, you need to authenticate with Identity on. And it seems Modeler does not support TLS too, so that could be an issue. I was able to connect to Zeebe via Modeler by using non-TLS connection over port forwarding and also by using Authentication with ClientId/ClientSecret.