The installation creates the following in your Kubernetes cluster:
metadata-store-read-write-client. It’s bound to a ClusterRole named
metadata-store-read-onlythat isn’t bound to a service account. See Service Accounts.
The default database included with the deployment is meant to get users started using the metadata store. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, or failover. However, it is still a secure deployment.
Users can also configure the deployment to use their own RDS database instead of the default. See AWS RDS Postgres Configuration.
By default, a database password is generated automatically upon deployment. To configure a custom password, use the
db_password property in the
metadata-store-values.yaml during deployment.
If you’re deploying with Tanzu Application Platform profiles, in
metadata_store: db_password: "PASSWORD-0123"
PASSWORD-0123 is the same password used between deployments.
Note: there is a known issue related to changing database passwords Persistent Volume Retains Data.
If your environment does not support
LoadBalancer, and you want to use
NodePort, configure the
app_service_type property in your
By default, a service account with read-write privileges to the metadata store app is installed. This service account is a cluster-wide account that uses ClusterRole. If you don’t want the service account and role, set the
add_default_rw_service_account property to
"false". To create a custom service account, see Configure access tokens.
The store creates a read-only cluster role, which can be bound to a service account through
ClusterRoleBinding. To create service accounts to bind to this cluster role, see Configure access tokens.
Supply Chain Security Tools - Store creates Secret Export for exporting certificates to
Supply Chain Security Tools - Scan to securely post scan results. These certificates are exported to the namespace where
Supply Chain Security Tools - Scan is installed.
Supply Chain Security Tools - Store’s values file allows you to enable ingress support and to configure a custom domain name to use Contour to provide external access to Supply Chain Security Tools - Store’s API. For example:
ingress_enabled: "true" ingress_domain: "example.com"
An HTTPProxy object is then installed with
metadata-store.example.com as the fully qualified domain name. See Ingress and multicluster support.