Set up multicluster for SCST - Scan 1.0

This topic tells you how to set up your configuration to enable SCST - Scan 1.0 to connect with SCST - Store in a multicluster deployment.

Important

Scan 1.0 was deprecated in Tanzu Application Platform v1.10. The default scan component to use in the Test and Scan supply chain is Scan 2.0. These steps are required in addition to the earlier steps if you are still using Scan 1.0. For more information about Scan 1.0 and Scan 2.0, see the SCST - Scan component overview. For instructions to set up multicluster for Scan 2.0, see Set up multicluster Artifact Metadata Repository.

Procedure summary

To deploy SCST - Store in a multicluster setup:

  1. Copy the Metadata Store CA certificate from the View cluster
  2. Copy the Metadata Store authentication token from the View cluster
  3. Configure the Metadata Store CA certificate and authentication token on the Build cluster
  4. Configure Grype in the Build profile values file
  5. Export SCST - Store secrets to a developer namespace in a multicluster deployment
  6. Install the Build and Run profiles

Copy the Metadata Store CA certificate from the View cluster

With your kubectl targeted at the View cluster, copy the TLS CA certificate for Metadata Store to the MDS_CA_CERT environment variable by running:

MDS_CA_CERT=$(kubectl get secret -n metadata-store ingress-cert -o json | jq -r ".data.\"ca.crt\"" | base64 -d)

Copy the Metadata Store authentication token from the View cluster

Copy the Metadata Store authentication token into the MDS_AUTH_TOKEN environment variable by running:

MDS_AUTH_TOKEN=$(kubectl get secrets metadata-store-read-write-client -n metadata-store -o jsonpath="{.data.token}" | base64 -d)

Configure the Metadata Store CA certificate and authentication token on the Build cluster

Within the Build profile values.yaml file, add the following snippet:

scanning:
  metadataStore:
    exports:
      ca:
        pem: |
          <CONTENTS OF $MDS_CA_CERT>
      auth:
        token: <CONTENTS OF $MDS_AUTH_TOKEN>

This snippet contains the content of $MDS_CA_CERT and $MDS_AUTH_TOKEN copied earlier. This content configures SCST - Scan with the Metadata Store CA certificate and authentication token.

Configure Grype in the Build profile values file

The Build profile values.yaml file uses the secrets you created to configure the Grype scanner that communicates with SCST - Store. After performing a vulnerabilities scan, the Grype scanner sends the scan result to SCST - Store.

For example:

...
grype:
  targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
  metadataStore:
    url: METADATA-STORE-URL-ON-VIEW-CLUSTER # URL with http / https
    caSecret:
        name: store-ca-cert
        importFromNamespace: metadata-store-secrets # Must match with ingress-cert.data."ca.crt" of store on view cluster
    authSecret:
        name: store-auth-token # Must match with valid store token of metadata-store on view cluster
        importFromNamespace: metadata-store-secrets
...

Where:

  • METADATA-STORE-URL-ON-VIEW-CLUSTER is the ingress URL of SCST - Store deployed to the View cluster. For example, https://metadata-store.example.com. For more information, see Ingress support.
  • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from the registry for scanning.

Export SCST - Store secrets to a developer namespace in a multicluster deployment

SCST - Scan 1.0 requires SCST - Store to be configured in every developer namespace with an SCST - Store certificate and authentication token.

To export secrets by creating SecretExport resources on the developer namespace:

  1. Verify that you created and populated the metadata-store-secrets namespace.

  2. Create the SecretExport resources by running:

    cat <<EOF | kubectl apply -f -
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
 name: store-ca-cert
 namespace: metadata-store-secrets
spec:
 toNamespaces: [DEV-NAMESPACES]
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
 name: store-auth-token
 namespace: metadata-store-secrets
spec:
 toNamespaces: [DEV-NAMESPACES]
EOF

    Where DEV-NAMESPACES is an array of developer namespaces where the Metadata Store secrets are exported.

For information about metadata configuration, see Cluster-specific scanner configurations.

Important

In a multicluster configuration, copy the Metadata Store values mentioned earlier from the View cluster to the values.yaml file that you used to install the Build cluster.

Install the Build and Run profiles

If you came to this topic from Install multicluster Tanzu Application Platform profiles after installing the View profile, return to that topic to install the Build profile and install the Run profile.

Additional resources

check-circle-line exclamation-circle-line close-line
Scroll to top icon