https://flyte.org logo
Join Slack
Powered by
Are these configs helm-able? <https://docs.flyte.o...
# flyte-support
n
Are these configs helm-able? https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_get_workflow-execution-config.html do they live in config-maps somewhere
a
I think most if should land on the flyte-admin-base-config CM Any specific config you want to helm?
n
mostly interested in the security context and the raw output_data_config but I can work with CMs
a
ok, bc I see global defaults for both but not sure they're tied to project/domains in the same way is execution configs
n
so you think that they might not exist in the CM on a project/domain fidelity? where do the execution configs live
a
I'm reproducing this with a flyte-core deployment and will get back to you
👍 1
so it doesn't seem to land at any of the backend configmaps. I'll check if it's part of the serialized protobuf
👀 1
n
basically trying to configure the projects/domains in the setup process here to use specific service accounts and output folders. its not super clear to me how to use the 
cluster_resource_manager
inside the helm chart to do this e.g. project_a (all domains) would use service_account_a and s3_bucket_a project_b (all domains) would use service_account_b and s3_bucket_b
f
@numerous-hamburger-7178 / @average-finland-92144 you can set buckets per project using the following type of config 
flytectl update workflow-execution-config --attrFile
Copy code
domain: development
labels:
  values:
    aws-account: "test"
    cluster: example1
project: cluster-example1
raw_output_data_config:
  output_location_prefix: <s3://example1-bucket>
#security_context:
#  run_as:
#    k8s_service_account: default
I think we should doc this
n
@freezing-airport-6809 that's what I linked at the start of the thread. I was asking if there was a way to do it during setup using kube/helm instead of using flytectl commands
r
@numerous-hamburger-7178 did you have any success doing this in helm. I'm now trying to do the same thing. I've tried this first but that didn't work since this is not a jinja template and it seems project and domain are not available
Copy code
002_serviceaccount.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: extra
        namespace: '{{ namespace }}'
        annotations:
          <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: 'flyte-prod-{{project|truncate(9, True, '')}}-{{domain|truncate(6, True, '')}}@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
fwiw this worked
Copy code
002_serviceaccount.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: extra
        namespace: '{{ namespace }}'
        annotations:
          <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: 'flyte-p-{{ project }}-{{ domain }}@project.iam.gserviceaccount.com'
The problem with that is that if project and domain are too long it's very easy to go over the 30 character limit for the service account
a
@ripe-smartphone-56353 thanks for sharing. So this means you have to run executions so they use the 
extra
KSA instead of the default right? I guess as long as you keep the one project-domain:one namespace relationship that will work. The output bucket per project is what I don't see how to configure with Helm
r
So this means you have to run executions so they use the extra KSA instead of the default right?
Yes in this example it would. But I'm going to switch that service account to be the 
default
after some testing.
7 Views
Open in Slack
PreviousNext
Powered by