Configure your Tanzu Insight CLI plug-in

This topic tells you how to configure your Tanzu Insight CLI plug-in.

Set the target and certificate authority (CA) certificate

These instructions are for the recommended configuration where Ingress is enabled. For instructions on non Ingress setups, see Configure target endpoint and certificate.

Set the endpoint host to:

metadata-store.INGRESS-DOMAIN

Where INGRESS-DOMAIN is the value of the ingress_domain property in your deployment YAML

Example:

metadata-store.example.domain.com
Note

In a multicluster setup, a DNS record is required for the domain. The following instructions for single cluster setup do not apply, skip to the Set the target section.

Single-cluster setup

In a single-cluster setup, a DNS record is still recommended. However, if no accessible DNS record exists for the domain, edit the /etc/hosts file to add a local record:

ENVOY_IP=$(kubectl get svc envoy -n tanzu-system-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")

# Replace with your domain
METADATA_STORE_DOMAIN="metadata-store.example.domain.com"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$ENVOY_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Set the target

To get the certificate, run:

kubectl get secret tap-ingress-selfsigned-root-ca -n cert-manager -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN --ca-cert insight-ca.crt
Important

The tanzu insight config set-target does not initiate a test connection. Use tanzu insight health to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.

Set the access token

When using the insight plug-in, you must set the METADATA_STORE_ACCESS_TOKEN environment variable, or use the --access-token flag. VMware discourages using the --access-token flag as the token appears in your shell history.

The following command retrieves the access token from the default metadata-store-read-write-client service account and stores it in METADATA_STORE_ACCESS_TOKEN:

export METADATA_STORE_ACCESS_TOKEN=$(kubectl get secrets metadata-store-read-write-client -n metadata-store -o jsonpath="{.data.token}" | base64 -d)

Verify the connection

Verify that your configuration is correct and you can make a connection using tanzu insight health.

Important

The tanzu insight health command tests the configured endpoint and CA certificate. However, it does not test whether the access token is correct. For that, you must use the plug-in to add and query data.

For example:

$ tanzu insight health
Success: Reached Metadata Store!
check-circle-line exclamation-circle-line close-line
Scroll to top icon