RSS
 

Configure your target endpoint and certificate for Supply Chain Security Tools - Store

This topic describes how you can configure your target endpoint and certificate for Supply Chain Security Tools (SCST) - Store.

Overview

The connection to Supply Chain Security Tools - Store requires TLS encryption, and the configuration depends on the kind of installation.

For a production environment, VMware recommends that SCST - Store is installed with ingress enabled. The following instructions help set up the TLS connection, assuming that you deployed with ingress enabled.

Using Ingress

When using an Ingress setup, SCST - Store creates a specific TLS Certificate for HTTPS communications under the metadata-store namespace.

Set the endpoint host to metadata-store.INGRESS-DOMAIN, such as metadata-store.example.domain.com. Where INGRESS-DOMAIN isthe value of the ingress_domain property in your deployment yaml.

Note In a multi-cluster setup, a DNS record is required for the domain. The below instructions for single cluster setup do not apply, skip to Set Target section.

Single Cluster setup

In a single-cluster setup, a DNS record is still recommended. However, if no accessible DNS record exists for the domain, edit the /etc/hosts file to add a local record:

ENVOY_IP=$(kubectl get svc envoy -n tanzu-system-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")

# Replace with your domain
METADATA_STORE_DOMAIN="metadata-store.example.domain.com"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$ENVOY_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Set Target

To get the certificate, run:

kubectl get secret ingress-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN --ca-cert insight-ca.crt
Important

The tanzu insight config set-target does not initiate a test connection. Use tanzu insight health to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.

Next Step

Additional Resources

For information about deploying SCST - Store without Ingress, see:

check-circle-line exclamation-circle-line close-line
Scroll to top icon