Deployment details and configuration

What is deployed

The installation creates the following in your Kubernetes cluster:

  • Two components — an API backend and a database. Each component includes:
    • service
    • deployment
    • replicaset
    • pod
  • Persistent volume and persistent volume claim.
  • External IP (based on a deployment configuration set to use LoadBalancer).
  • A Kubernetes secret to allow pulling Supply Chain Security Tools - Store images from a registry.
  • A namespace called metadata-store.
  • A service account with read-write privileges named metadata-store-read-write-client. It’s bound to a ClusterRole named metadata-store-read-write.
  • A read-only ClusterRole named metadata-store-read-only that isn’t bound to a service account. See Service Accounts.

Deployment configuration

Database configuration

The default database that ships with the deployment is meant to get users started using the metadata store. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, or failover. However, it is still a secure deployment.

Using AWS RDS postgres database

Users can also configure the deployment to use their own RDS database instead of the default. See AWS RDS Postgres Configuration.

Custom database password

By default, a database password is generated automatically upon deployment. To configure a custom password, use the db_password property in the metadata-store-values.yaml during deployment.

db_password: "PASSWORD-0123"

If you’re deploying with TAP profiles, in tap-values.yaml, put:

metadata_store:
  db_password: "PASSWORD-0123"

Where PASSWORD-0123 is the same password used between deployments.

Note: there is a known issue related to changing database passwords Known Issues - Persistent Volume Retains Data.

App service type

If your environment does not support LoadBalancer, and you want to use NodePort, configure the app_service_type property in your metadata-store-values.yaml:

app_service_type: "LoadBalancer"

Service accounts

By default, a service account with read-write privileges to the metadata store app is installed. This service account is a cluster-wide account that uses ClusterRole. If you don’t want the service account and role, set the add_default_rw_service_account property to "false". To create a custom service account, see create service account.

The store will automatically create a read-only cluster role, which may be bound to a service account via ClusterRoleBinding. To create service accounts to bind to this cluster role, see create service account.

Exporting certificates

Supply Chain Security Tools - Store creates Secret Export for exporting certificates to Supply Chain Security Tools - Scan to securely post scan results. These certificates are exported to the namespace where Supply Chain Security Tools - Scan is installed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon