Container Orchestration Connection Profiles

The following topics describe connection profiles for container orchestration platforms and services:

ConnectionProfile:AWS ECS

AWS Elastic Container Service (ECS) is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.

The following examples show how to define a connection profile for an AWS ECS job.

  • This JSON defines a connection profile based on an authentication using an AWS access key and secret:

    Copy 
    {
       "AWS ECS"
       {
          "Type": "ConnectionProfile:AWS ECS",
          "AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
          "Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication Method": "Secret",
          "AWS Access Key": "<Access Key>",
          "AWS Secret": "*****",
          "Connection Timeout": "30",
          "Description": "",
          "Centralized": true
       }
    }

  • This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an EC2 instance:

    Copy 
    {
       "AWS ECS"
       {
          "Type": "ConnectionProfile:AWS ECS",
          "AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
          "Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication Method": "IAM",
          "AWS IAM Role": "IAM ROLE",
          "Connection Timeout": "30",
          "Description": "",
          "Centralized": true
       }
    }

The following table describes the AWS ECS job connection profile parameters.

Parameter

Description

AWS ECS URL

Defines the AWS ECS authentication endpoint, based on the following format:

https://ecs.<region>.amazonaws.com

For more information about regional endpoints available for the AWS ECS service, refer to the AWS documentation.

Cloud Watch URL

Defines the Cloud Watch authentication endpoint.

AWS Region

Determines the region where the AWS ECS jobs are located.

Authentication Method

Determines one of the following authentication methods for the connection with AWS ECS:

  • Secret: Authenticates using an access key and secret.

  • IAM: Authenticates based on an IAM role, which removes the need to provide additional credentials.

AWS Access Key

(Secret Authentication) Defines the AWS ECS account access key.

AWS Secret

(Secret Authentication) Defines the AWS ECS account secret access key. You can use Secrets in Code to not expose this value in the code.

AWS IAM Role

(IAM Authentication) Defines the Identity and Access Management (IAM) role for the AWS ECS connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS ECS before a timeout occurs.

Default:: 30

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:GCP Cloud Run

GCP Cloud Run is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.

The following example shows how to define a GCP Cloud Run connection profile that authenticates as a service account:

Copy 
{
   "GCR":
   {
      "Type": "ConnectionProfile:GCP Cloud Run",
      "Identity Type": "service_account",
      "Cloud Run URL": "https://run.googleapis.com",
      "Service Account Key": "*****",
      "Description": "",
      "Connection Timeout": 20,
      "Centralized": true
   }
}

The following table describes the GCP Cloud Run job connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • service_account: Authenticates with an application ID (service account) and client secret.

  • iam_user: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

GCP Cloud Run URL

Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run.

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Run before a timeout occurs.

Default: 20 seconds

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Kubernetes

The Kubernetes job enables you to run a pod to completion in a Kubernetes-based cluster.

For more information about this plug-in, see Helix Control-M for Kubernetes.

The following example shows how to define a connection profile for a Kubernetes job:

Copy 
{
   "KBN_CCP"
   {
      "Type": "ConnectionProfile:Kubernetes",
      "Description": "Profile for agent running in the Kubernetes cluster",
      "Namespace": "jobspace",
      "Kubernetes Cluster URL": "https://kubernetes.default.svc",
      "Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
      "Connection Timeout": "50",
      "Centralized": true
   }
}

The following table describes the Kubernetes job connection profile parameters.

Parameter

Description

Namespace

Defines the name of the Kubernetes namespace.

Kubernetes Cluster URL

Defines the URL for the connection to the Kubernetes cluster.

Default: https://kubernetes.default.svc

Service Token File

Defines the path to the token file for the connection to Kubernetes.

Default: /var/run/secrets/kubernetes.io/serviceaccount/token

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs.

Default: 50

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents.

You must set this parameter to true.