Ingress support for Supply Chain Security Tools - Store

This topic describes how to configure ingress for Supply Chain Security Tools (SCST) - Store.

Ingress configuration

Supply Chain Security Tools (SCST) - Store has ingress support by using Contour’s HTTPProxy resources. To enable ingress support, a Contour installation must be available in the cluster.

To change ingress configuration, edit your tap-values.yaml when you install a Tanzu Application Platform profile. When you configure the shared.ingress_domain property, SCST - Store automatically uses that setting.

Alternatively, you can customize SCST - Store’s configuration under the metadata_store property. Under metadata_store, there are two values to configure the proxy:

  • ingress_enabled
  • ingress_domain

This is an example snippet in a tap-values.yaml:

  ingress_enabled: "true"
  ingress_domain: ""
  app_service_type: "ClusterIP"  # Defaults to `LoadBalancer`. If ingress is enabled then this must be set to `ClusterIP`.

SCST - Store installation creates an HTTPProxy entry with host routing by using the qualified name METADATA-STORE.INGRESS-DOMAIN. For example, The route supports HTTPS communication using a certificate. By default, a self-signed certificate is used with the same subject alternative name. For more information, see Custom certificate configuration.

Contour and DNS setup are not part of SCST - Store installation. Access to SCST - Store using Contour depends on the correct configuration of these two components.

Make the proper DNS record available to clients to resolve metadata-store and set ingress_domain to Envoy service’s external IP address.

DNS setup example:

$ kubectl describe svc envoy -n tanzu-system-ingress
> ...
  Type:                     LoadBalancer
  LoadBalancer Ingress:
  Port:                     https  443/TCP

$ nslookup
> Server:

  Non-authoritative answer:

$ curl -k -v
> ...
  < HTTP/2 200

The preceding curl example uses the not secure -k flag to skip TLS verification because the Store installs a self-signed certificate. The following section shows how to access the CA certificate to enable TLS verification for HTTP clients.

Get the TLS CA certificate

To get SCST - Store’s TLS CA certificate, use kubectl get secret. In this example, you save the certificate for the environment variable to a file.

kubectl get secret CERT-NAME -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > OUTPUT-FILE


  • CERT-NAME is the name of the certificate. This must be ingress-cert if no custom certificate is used.
  • OUTPUT-FILE is the file you want to create to store the certificate.

For example:

$ kubectl get secret ingress-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
$ cat insight-ca.crt

Additional Resources

check-circle-line exclamation-circle-line close-line
Scroll to top icon