-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 485: AWS Batch Constructs #484
Conversation
batch-l2.md
Outdated
secret: new Secret(this, 'mySecret'), | ||
mountPath: '/Volumes/secret', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://kubernetes.io/docs/concepts/storage/volumes/#secret
https://docs.aws.amazon.com/batch/latest/APIReference/API_EksSecret.html
Batch supports secret volumes in kube pods. That means the actual secret value is stored in Kube, life-cycled and authorized by the customer within Kube. The Batch job definition just points to that secret location; setting or specifying secret values is not support in Batch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-eksvolume.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-secret.html
I used the Secret class here because the EKS Volume Secret requires you to specify a Secrets Manager or SSM Parameter ARN as well as the secret name. The CDK Secret construct exposes both it's ARN and name, so it seems natural to use it here.
How is the Secret ARN used by the volume? I thought that the Volume would pull the relevant information from the Secret to set it up, since you have to specify the ARN, but it sounds like that's not the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed offline, the CFN types are wrong here
batch-l2.md
Outdated
} | ||
|
||
class SecretPathVolume extends EksVolume { | ||
secret: ssm.Secret; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kube (eks) secret is just a volume location pointing a a kube secret resource. SSM is not directly involved in this mapping.
customers have the ability to populate kube secrets from SSM, but those are still exposed to pods as a generic volume location and secretName string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I approve of most of this, couple of details to work out but otherwise good!
This is a request for comments on a set of Batch L2 Constructs. See #485 for
additional details.
APIs are signed off by @rix0rrr.
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache-2.0 license