Use your LoadBalancer with Supply Chain Security Tools - Store
This topic describes how to use your LoadBalancer with Supply Chain Security Tools (SCST) - Store.
Configure LoadBalancer
Note
LoadBalanceris not the recommended service type. Consider the recommended configuration of enabling Ingress.
To configure a LoadBalancer:
-
Edit
/etc/hosts/to use the external IP address of themetadata-store-appservice.METADATA_STORE_IP=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.status.loadBalancer.ingress[0].ip}") METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}") METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local" # Delete any previously added entry sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts echo "$METADATA_STORE_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/nullNote
On EKS, you must get the IP address for the LoadBalancer. Find the IP address by running something similar to the following:
dig RANDOM-SHA.us-east-2.elb.amazonaws.com. WhereRANDOM-SHAis the EXTERNAL-IP received for the LoadBalancer. - Select one of the IP addresses returned from the
digcommand and write it to the/etc/hostsfile.
Port forwarding
If you want to use port forwarding instead of the external IP address from the LoadBalancer, follow these steps:
Configure port forwarding for the service so the insight plug-in can access SCST - Store. Run:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store
Note: You must run the port forwarding command in a separate terminal window, or run the command in the background:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &
Edit your /etc/hosts file for Port Forwarding
Use the following script to add a new local entry to /etc/hosts:
METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"
# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts
echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null
Configure the Insight plug-in
Because you deployed Supply Chain Security Tools (SCST) - Store without using Ingress, you must use the Certificate resource app-tls-cert for HTTPS communication.
To get the CA Certificate:
kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
Set the target by running:
tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt
ImportantThe
tanzu insight config set-targetdoes not initiate a test connection. Usetanzu insight healthto test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.
