19913d85-f662-4518-a9a1-7adc1793dfd4.png){kind=small}
Has anyone looked into running Dagster user code d...
# deployment-kubernetesm
Michel Rouly
02/11/2023, 9:18 PMHas anyone looked into running Dagster user code deployments in multiple alternate namespaces? I just tried that, and ran into a blocker and an interesting observation. 🧵
Michel Rouly
02/11/2023, 9:19 PMSo to describe the scenario first of all. I had the Dagster Helm chart (Dagit, Daemon) deployed into the
dagsterfoobarMichel Rouly
02/11/2023, 9:20 PMThe first problem I ran into was that the user code deployments relied on the
dagster-postgresql-secretMichel Rouly
02/11/2023, 9:20 PMBut I provisioned one of those in the
foobarMichel Rouly
02/11/2023, 9:21 PMSo then the blocker I ran into was the Dagster k8s run launcher: it only supports a single job namespace. It defaults to the release namespace (in this case
dagsterMichel Rouly
02/11/2023, 9:22 PMOh, another issue I ran into was the Dagster service account's bound role. It only grants permission to operate in the run launcher's job namespace.
So you'd need either a ClusterRole (scary) or a bunch of different per-namespace permissions I guess.
a
Andrea Giardini
02/11/2023, 9:27 PMRegarding the psql secret. A solution could be to modify the helm chart to allow setting annotations on the secret ( here ) and then use https://github.com/emberstack/kubernetes-reflector to mirror the secret across different namespaces
m
Michel Rouly
02/11/2023, 9:29 PMYep that's certainly true. We tend to shy away from that strategy just out of an interest in having a little more control over what we're creating and where, but it's a valid option.
I think if I were going to continue down this path, I would be able to just inject the Postgres secret as a K8s manifest alongside the Helm release. A little more inconvenient to be sure.
👍 1
a
Andrea Giardini
02/11/2023, 9:31 PMRegarding the dagsterk8slauncher. I think it would be nice if by default the jobs are run in the same namespace where the user-code lives.
👍 2
Andrea Giardini
02/11/2023, 9:31 PMbut i belive it’s not possible at it’s current state
m
Michel Rouly
02/11/2023, 9:31 PMYeah -- I took a look through the code to see how difficult it would be to lift the variable into a list, and it's everywhere unfortunately.
Michel Rouly
02/11/2023, 9:32 PMI am not bold enough to take that on as a PR at this time haha 😅
a
Alexandre Guitton
02/11/2023, 10:31 PMIf ever I have a project that is implementing this kind of configuration: https://github.com/konpyutaika/data-platform/tree/main/EKS
• Namespace
system-dagsterbusinessm
Michel Rouly
02/11/2023, 10:32 PMOh interesting. The "system" Dagit in `system-dagster`: are you able to schedule jobs in
businessproducta
Alexandre Guitton
02/11/2023, 10:41 PMThere is only one daemon that is responsible for scheduling tasks associated with that the system dagit for all jobs. And the Dagit per namespace are not read-only but I don't deploy a daemon.
This way, only the system-dagit manages the trigger rules, and per-namespace Dagits still allow teams to run tasks manually!
And if I run the job from the scheduler, system dagIt or dagIt by namespace, it doesn't change the location of the runtime pod and steps, it's still in the same namespace as the user deployment.
(This isn't a production setup yet, and maybe I'm missing something, but from all the testing I've done so far, it seems to work).
👀 3
a
Andrea Giardini
02/12/2023, 6:02 PMInteresting setup… Let us know if you end up deploying it in prod
a
Alexandre Guitton
02/12/2023, 7:26 PMI will, as soon as our POC convinces us that this is the right plan to let the Airflow for dagster 😛
5 Views