Hey folks 👋 I’m curious how you have handled making Dagit internally accessible to the team without port forwading? We’re considering putting it behind a load balancer on a custom domain and restricting access by IP since there’s no built-in authentication. Curious to hear what other people have set up!

cc: @Tobias Macey who I know set something up

hey, we use a public DNS record (private IP), so the instance is only available from VPN. we generate the TLS cert with certmanager on k8s via Let's encrypt.

We’re also in discussion how to achieve similar things (multi-tendency for different customer). Atm we probably go for deploying dagster for each customer as I didn’t see any other way. But curious what other ways are possible

I've got my Dagit instance set up behind a Caddy proxy that is using the caddy-auth plugin to require a username/password to access it.

we use google IAP for the dagit hosted in our GKE cluster https://cloud.google.com/iap/docs/enabling-kubernetes-howto

Awesome, this is super helpful — thanks everyone! 🙏

Hi @Charles Lariviere, I'm glad you brought this up because I ran into trouble configuring dagit to talk to the local traefik2 on my laptop cluster (https://enclave.do.controlplane.info/00.html#install-k8s-the-easy-way is basically what I'm doing) Does anyone run clusters on their local machine? What's your favorite reverse proxy setup? DMs ok.

https://github.com/coderanger/traefik-forward-auth-dex 🙂

This is great!, It has all my favorite side dishes, thank you @Noah K