Container Orchestration Connection Profiles
The following topics describe connection profiles for container orchestration platforms and services:
ConnectionProfile:AWS ECS
AWS Elastic Container Service (ECS) is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.
The following examples show how to define a connection profile for an AWS ECS job.
-
This JSON defines a connection profile based on an authentication using an AWS access key and secret:
Copy{
"AWS ECS":
{
"Type": "ConnectionProfile:AWS ECS",
"AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
"Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication Method": "Secret",
"AWS Access Key": "<Access Key>",
"AWS Secret": "*****",
"Connection Timeout": "30",
"Description": "",
"Centralized": true
}
} -
This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an EC2 instance:
Copy{
"AWS ECS":
{
"Type": "ConnectionProfile:AWS ECS",
"AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
"Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication Method": "IAM",
"AWS IAM Role": "IAM ROLE",
"Connection Timeout": "30",
"Description": "",
"Centralized": true
}
}
The following table describes the AWS ECS job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
AWS ECS URL |
Defines the AWS ECS authentication endpoint, based on the following format: https://ecs.<region>.amazonaws.com For more information about regional endpoints available for the AWS ECS service, refer to the AWS documentation. |
|
Cloud Watch URL |
Defines the Cloud Watch authentication endpoint. |
|
AWS Region |
Determines the region where the AWS ECS jobs are located. |
|
Authentication Method |
Determines one of the following authentication methods for the connection with AWS ECS:
|
|
AWS Access Key |
(Secret Authentication) Defines the AWS ECS account access key. |
|
AWS Secret |
(Secret Authentication) Defines the AWS ECS account secret access key. You can use Secrets in Code to not expose this value in the code. |
|
AWS IAM Role |
(IAM Authentication) Defines the Identity and Access Management (IAM) role for the AWS ECS connection. |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to AWS ECS before a timeout occurs. Default:: 30 |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:Azure Container Instances
Azure Container Instances enables you to run an isolated container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.
The following examples show how to define a connection profile for an Azure Container Instances job.
-
This JSON-based connection profile authenticates using a service principal:
Copy"ACI_SERVPRINC":
{
"Type": "ConnectionProfile:Azure Container Instances",
"Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
"Authentication Method": "PRINCIPAL",
"Tenant ID": "tenantId",
"Application ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b5",
"Client Secret": "*****",
"Login URL": "https://login.microsoftonline.com",
"Management URL": "https://management.azure.com",
"Connection Timeout": "50",
"Description": "",
"Centralized": true
} -
This JSON-based connection profile authenticates using a managed identity:
Copy"ACI_MANID":
{
"Type": "ConnectionProfile:Azure Container Instances",
"Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
"Autentication Method": "MANAGEDID",
"Specify Managed Identity Client ID": "&client_id=",
"Managed Identity Client ID": "72d454264f0-ac32-45ea-9158-f8s5433e4ee16",
"Login URL": "https://login.microsoftonline.com",
"Management URL": "https://management.azure.com",
"Connection Timeout": "50",
"Description": "",
"Centralized": true }
The following table describes the Azure Container Instances job connection profile parameters.
|
Parameter |
Authentication Method |
Description |
|---|---|---|
|
Subscription ID |
All Types |
Defines the Azure account subscription ID, which is located in the Azure portal. |
|
Authentication Method |
NA |
Determines one of the following authentication methods to connect to Azure Container Instance:
Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure. |
|
Specify Managed Identity Client ID |
Managed Identity |
Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter. Use this option if your Azure virtual machine has multiple managed identities. Set its value to &client_id=. |
|
Managed Identity Client ID |
Managed Identity |
Determines which client ID to use as the managed identity. You only need to complete this field if your Azure Container Instance has multiple managed identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one ID, it is detected automatically. |
|
Tenant ID |
Service Principal |
Defines the Tenant ID where the Azure Container instance is created. |
|
Application ID |
Service Principal |
Defines the Azure application ID of a Service Principal that has access to interact with Azure Container instances. The service principal must be an Azure Container Instance workspace user with a Contributor or Owner role. |
|
Client Secret |
Service Principal |
Defines the password associated with the Azure user and the application. You can use Secrets in Code to not expose this value in the code. |
|
Login URL |
All Types |
Defines the Azure AD authentication endpoint base URL. Default: https://login.microsoftonline.com Do not change the default value unless you are required to by your Azure Administrator. |
|
Management URL |
All Types |
Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication. Default: https://management.azure.com Do not change the default value unless you are required to by your Azure Administrator. |
|
Connection Timeout |
All Types |
Determines the number of seconds to wait after Control-M initiates a connection request to Azure Container Instances before a timeout occurs. Default: 50 |
|
Centralized |
All Types |
Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:GCP Cloud Run
GCP Cloud Run is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.
The following example shows how to define a GCP Cloud Run connection profile that authenticates as a service account:
{
"GCR":
{
"Type": "ConnectionProfile:GCP Cloud Run",
"Identity Type": "service_account",
"Cloud Run URL": "https://run.googleapis.com",
"Service Account Key": "*****",
"Description": "",
"Connection Timeout": 20,
"Centralized": true
}
}The following table describes the GCP Cloud Run job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
Identity Type |
Determines one of the following authentication types using GCP Access Control:
|
|
GCP Cloud Run URL |
Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run. |
|
Service Account Key |
(Service Account) Defines a service account that is associated with an RSA key pair. |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Run before a timeout occurs. Default: 20 seconds |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:Kubernetes
The Kubernetes job enables you to run a pod to completion in a Kubernetes-based cluster.
For more information about this plug-in, see
The following
{
"KBN_CCP":
{
"Type": "ConnectionProfile:Kubernetes",
"Description": "Profile for agent running in the Kubernetes cluster",
"Namespace": "jobspace",
"Kubernetes Cluster URL": "https://kubernetes.default.svc",
"Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"Connection Timeout": "50",
"Centralized": true
}
}The following table describes the Kubernetes job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
Namespace |
Defines the name of the Kubernetes namespace. |
|
Kubernetes Cluster URL |
Defines the URL for the connection to the Kubernetes cluster. Default: https://kubernetes.default.svc |
|
Service Token File |
Defines the path to the token file for the connection to Kubernetes. Default: /var/run/secrets/kubernetes.io/serviceaccount/token |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs. Default: 50 |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M database and is available to all Agents. You must set this parameter to true. |
YouTube
Twitter
Facebook
LinkedIn