This topic describes how you can deploy and configure your Kubernetes cluster for Supply Chain Security Tools (SCST) - Store.
The installation creates the following in your Kubernetes cluster:
metadata-store
API back endmetadata-store-app
metadata-store-db
amr-persister
. If AMR is deployed, see Deploying AMR.artifact-metadata-repository-app
. If AMR is deployed, see Deploying AMR.metadata-store
.postgres-db-pv-claim
in the metadata-store
namespace.metadata-store-read-write-client
is bound to a service account by default, giving the service account read and write privilegesmetadata-store-read-only
isn’t bound to any service accounts, you can bind to it if needed. See Service Accounts.All configurations are nested inside of metadata_store
in your tap values deployment YAML. For AMR specific configurations, they are nested under amr
in the metadata_store
section.
VMware recommends the following connection methods for Tanzu Application Platform:
Ingress
.LoadBalancer
support configuration, use LoadBalancer
.LoadBalancer
configuration, use NodePort
.For a production environment, VMware recommends installing SCST - Store with ingress enabled.
CautionAMR is a beta feature and is not recommended for use in production.
By default, AMR is not deployed with SCST - Store. There is an amr
section inside metadata_store
. To deploy AMR, you must set the deploy
property under amr
to true
.
metadata_store:
amr:
deploy: true
NoteThe
deploy
property expects a Boolean value oftrue
orfalse
, not a string value.
This configuration is available in the following places:
metadata_store
configures the app service type of the metadata store.amr
in the metadata_store
section configures the app service type.Supported values include:
LoadBalancer
ClusterIP
NodePort
. The app_service_type
is set to LoadBalancer
by default. If your environment does not support LoadBalancer
, configure the app_service_type
property to use ClusterIP
in your deployment YAML:For metadata-store:
metadata_store:
app_service_type: "ClusterIP"
For AMR:
metadata_store:
amr:
deploy: true
app_service_type: "ClusterIP"
If you set the ingress_enabled
to "true"
, VMware recommends setting the app_service_type
property to "ClusterIP"
.
NoteThe
app_service_type
is set toClusterIP
by default when you enable shared ingress.
SCST - Store’s values file allows you to enable ingress support and to configure a custom domain name to use Contour to provide external access to SCST - Store’s API. These ingress configurations are shared for the metadata store and AMR. Enabling ingress for store enables it for both metadata store and AMR.
For example:
metadata_store:
ingress_enabled: "true"
ingress_domain: "example.com"
app_service_type: "ClusterIP" # recommended setting when ingress is enabled
An HTTPProxy object is installed with metadata-store.example.com
as the fully qualified domain name. See Ingress.
NoteThe
ingress_enabled
property expects a string value of"true"
or"false"
, not a Boolean value.
The default database included with the deployment gets you started using the metadata store. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, or fail over. However, it is a secure deployment.
Users can also configure the deployment to use their own RDS database instead of the default. See AWS RDS Postgres Configuration.
Users can configure the deployment to use any other PostgreSQL database. See Use external postgres database.
By default, a database password is generated upon deployment. To configure a custom password, use the db_password
property in the deployment YAML. The db_password
property is available under metadata_store
and under amr
in metadata_store
.
ImportantThere is a known issue related to changing database passwords Persistent Volume Retains Data.
To configure a custom database password for the store:
metadata_store:
db_password: "PASSWORD"
To configure a custom database password for AMR:
metadata_store:
amr:
deploy: true
db_password: "PASSWORD"
Where PASSWORD
is the same password used for both deployments.
By default, a service account with read-write privileges to the metadata store app is installed. This service account is a cluster-wide account that uses ClusterRole. If you don’t want the service account and role, set the add_default_rw_service_account
property to "false"
. To create a custom service account, see Create Service Account.
The store creates a read-only cluster role, which is bound to a service account by using ClusterRoleBinding
. To create service accounts to bind to this cluster role, see Create Service Account.
SCST - Store creates a Secret Export for exporting certificates to Supply Chain Security Tools - Scan
to securely post scan results. These certificates are exported to the namespace where Supply Chain Security Tools - Scan
is installed.