Configure target endpoint and certificate

The connection to the Store requires TLS encryption and the configuration depends on the kind of installation. Use the following instructions to set up the TLS connection according to the your setup:

VMware recommended connection methods based on Tanzu Application Platform setup:

  • Single or multi-cluster with Contour = Ingress
  • Single cluster without Contour and with LoadBalancer support = LoadBalancer
  • Single cluster without Contour and without LoadBalancer = Port forwarding
  • Single cluster without Contour, without LoadBalancer and user does not have port forwarding access = NodePort
  • Multi-cluster without Contour = Not supported

For a production environment, VMware recommends that the Store is installed with ingress enabled.

Using Ingress

When using an Ingress setup, the Store creates a specific TLS Certificate for HTTPS communications under the metadata-store namespace.

To get a certificate, run:

kubectl get secret ingress-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

The endpoint host is set to metadata-store.<ingress-domain>, for example, metadata-store.example.domain.com). This value matches the value of ingress_domain.

If no accessible DNS record exists for the domain, edit the /etc/hosts file to add a local record:

ENVOY_IP=$(kubectl get svc envoy -n tanzu-system-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")

# Replace with your domain
METADATA_STORE_DOMAIN="metadata-store.example.domain.com"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$ENVOY_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN --ca-cert insight-ca.crt

Without Ingress

If you install the Store without using the Ingress alternative, you must use a different Certificate resource for HTTPS communication. In this case, query the app-tls-cert to get the CA Certificate:

kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

LoadBalancer

To use a LoadBalancer configuration, you must find the external IP address of the metadata-store-app service by using kubectl.

METADATA_STORE_IP=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$METADATA_STORE_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

On EKS, you must get the IP address for the LoadBalancer. The IP address is found by running something similar to the following: dig RANDOM-SHA.us-east-2.elb.amazonaws.com. Where RANDOM-SHA is the EXTERNAL-IP received for the LoadBalancer. Select one of the IP addresses returned from the dig command written to the /etc/hosts file.

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt

Port forwarding

Configure port forwarding for the service so the CLI can access Supply Chain Security Tools - Store. Run:

kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store

To use Port Forward, you must obtain the CA certificate by using the following instructions:

Modify your /etc/hosts file for Port Forwarding

Use the following script to add a new local entry to /etc/hosts:

METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"

# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Note: You must run the following command in a separate terminal window, or run the command in the background: kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt

NodePort

NodePort is used to connect the CLI and Metadata Store as an alternative to port forwarding. This is useful when the user does not have port forward access to the cluster.

Note: NodePort is only recommended when: the cluster does not support ingress or the cluster does not support LoadBalancer type to services. NodePort is not supported for a multi-cluster setup, as certificates cannot be modified. For example, the Metadata Store does not currently support a BYO-certificate.

To use NodePort, you must obtain the CA certificate by using the following instructions:

Edit your /etc/hosts file for Node Port

Use the following script to add a new local entry to /etc/hosts:

METADATA_STORE_PORT=$(kubectl get service/metadata-store-app -n metadata-store -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')

METADATA_STORE_HOST_IP=$(kubectl get pods -n metadata-store -o jsonpath='{.items[?(@.metadata.labels.app=="metadata-store-app")].status.hostIP}' | xargs -n1 | head -n1)

METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$METADATA_STORE_HOST_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt
check-circle-line exclamation-circle-line close-line
Scroll to top icon