Deployment details and configuration for Supply Chain Security Tools - Store

This topic describes how you can deploy and configure your Kubernetes cluster for Supply Chain Security Tools (SCST) - Store.

What is deployed

The installation creates the following in your Kubernetes cluster:

  • Four components:
    • metadata-store API back end
    • Database
    • AMR API back end. If AMR is deployed, see Deploying AMR.
    • AMR CloudEvent Handler. If AMR is deployed, see Deploying AMR.
  • Services for each of the four components, named:
    • metadata-store-app
    • metadata-store-db
    • amr-cloudevent-handler. If AMR is deployed, see Deploying AMR.
    • amr-graphql-app. If AMR is deployed, see Deploying AMR.
  • A namespace called metadata-store.
  • Persistent volume claim postgres-db-pv-claim in the metadata-store namespace.
  • A Kubernetes secret in the namespace tap is installed to allow pulling SCST - Store images from a registry.
  • Two ClusterRoles:
    • metadata-store-read-write-client is bound to a service account by default, giving the service account read and write privileges
    • metadata-store-read-only isn’t bound to any service accounts, you can bind to it if needed. See Service Accounts.
  • (Optional) An HTTPProxy object for ingress support.

Deployment configuration

All configurations are nested inside of metadata_store in your Tanzu Application Platform values deployment YAML. AMR specific configurations are nested under amr in the metadata_store section.

Supported Network Configurations

VMware recommends the following connection methods for Tanzu Application Platform:

  • For a single or multicluster configuration with Contour, use Ingress.
  • For a single cluster without Contour and with LoadBalancer support configuration, use LoadBalancer.
  • For a single cluster without Contour and without LoadBalancer configuration, use NodePort.
  • Multicluster without Contour configuration is not supported.

For a production environment, VMware recommends installing SCST - Store with ingress enabled.

App service type

The Metadata Store’s app service type is configured inside the metadata_store property of the values file.

metadata_store:
  app_service_type: "ClusterIP"

Supported values include:

  • LoadBalancer
  • ClusterIP
  • NodePort

The app_service_type is set to ClusterIP by default.

Ingress support

SCST - Store’s values file allows you to enable ingress support and to configure a custom domain name to use Contour to provide external access to SCST - Store’s API. These ingress configurations are shared for the metadata store and AMR. Enabling ingress for store enables it for both metadata store and AMR.

For example:

metadata_store: 
  ingress_enabled: "true"
  ingress_domain: "example.com"
  app_service_type: "ClusterIP" # recommended setting when ingress is enabled

An HTTPProxy object is installed with metadata-store.example.com as the fully qualified domain name. See Ingress.

Note

The ingress_enabled property expects a string value of "true" or "false", not a Boolean value.

Database configuration

The default database included with the deployment gets you started using the metadata store. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, or fail over. However, it is a secure deployment.

Using AWS RDS PostgreSQL database

Users can also configure the deployment to use their own RDS database instead of the default. See AWS RDS Postgres Configuration.

Using external PostgreSQL database

Users can configure the deployment to use any other PostgreSQL database. See Use external postgres database.

Custom database password

By default, a database password is generated upon deployment. To configure a custom password, use the metadata_store.db_password property in the values file

Important

There is a known issue related to changing database passwords Persistent Volume Retains Data.

To configure a custom database password for AMR:

metadata_store:
  db_password: "PASSWORD"

Where PASSWORD is the same password used for both deployments.

Service accounts

By default, a service account with read-write privileges to the metadata store app is installed. This service account is a cluster-wide account that uses ClusterRole. If you don’t want the service account and role, set the add_default_rw_service_account property to "false". To create a custom service account, see Create Service Account.

The store creates a read-only cluster role, which is bound to a service account by using ClusterRoleBinding. To create service accounts to bind to this cluster role, see Create Service Account.

Exporting certificates

SCST - Store creates a Secret Export for exporting certificates to Supply Chain Security Tools - Scan to securely post scan results. These certificates are exported to the namespace where Supply Chain Security Tools - Scan is installed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon