Ingress support for Supply Chain Security Tools - Store

This topic tells you how to configure ingress for Supply Chain Security Tools (SCST) - Store.

Ingress configuration

SCST - Store has ingress support by using the Contour HTTPProxy resources. To enable ingress support, a Contour installation must be available in the cluster.

To change ingress configuration, edit your tap-values.yaml when you install a Tanzu Application Platform profile. When you configure the shared.ingress_domain property, SCST - Store automatically uses that setting.

Alternatively, you can customize the SCST - Store configuration under the metadata_store property. Under metadata_store, there are two values to configure the proxy:

  • ingress_enabled
  • ingress_domain

This is an example snippet in tap-values.yaml:

...
metadata_store:
  ingress_enabled: "true"
  ingress_domain: "example.com"
  app_service_type: "ClusterIP"  # Defaults to `LoadBalancer`. If ingress is enabled then this must be set to `ClusterIP`.
...

The SCST - Store installation creates an HTTPProxy entry with host routing by using the qualified name METADATA-STORE.INGRESS-DOMAIN. For example, metadata-store.example.com. The route supports HTTPS communication using a certificate. By default, a self-signed certificate is used with the same subject alternative name. For more information, see Custom certificate configuration.

Contour and DNS setup are not part of SCST - Store installation. Access to SCST - Store using Contour depends on the correct configuration of these two components.

Make the proper DNS record available to clients to resolve metadata-store and set ingress_domain to Envoy service’s external IP address.

DNS setup example:

$ kubectl describe svc envoy -n tanzu-system-ingress
> ...
  Type:                     LoadBalancer
  ...
  LoadBalancer Ingress:     100.2.3.4
  ...
  Port:                     https  443/TCP
  ...

$ nslookup metadata-store.example.com
> Server:    8.8.8.8
  Address:  8.8.8.8#53

  Non-authoritative answer:
  Name:  metadata-store.example.com
  Address: 100.2.3.4

$ curl https://metadata-store.example.com/api/health -k -v
> ...
  < HTTP/2 200
  ...
Note

The preceding curl example uses the insecure -k flag to skip TLS verification because the Store installs a self-signed certificate. The following section shows how to access the CA certificate to enable TLS verification for HTTP clients.

Get the TLS CA certificate

To get SCST - Store’s TLS CA certificate, save the certificate for the environment variable to a file by running:

kubectl get secret CERT-NAME -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > OUTPUT-FILE

Where:

  • CERT-NAME is the name of the certificate. This must be ingress-cert if no custom certificate is used.
  • OUTPUT-FILE is the file you want to create to store the certificate in.

For example:

$ kubectl get secret tap-ingress-selfsigned-root-ca -n cert-manager -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
$ cat insight-ca.crt

Additional Resources

check-circle-line exclamation-circle-line close-line
Scroll to top icon