Use your NodePort with Supply Chain Security Tools - Store

This topic describes how you can use your NodePort with Supply Chain Security Tools (SCST) - Store.

Overview

Note

The recommended service type is Ingress. NodePort is only recommended when the cluster does not support Ingress or the cluster does not support the LoadBalancer service type. NodePort is not supported for a multicluster setup, as certificates cannot be modified.

You must use port forwarding when using the NodePort configuration.

Configure port forwarding for the service so the insight plug-in can access SCST - Store. Run:

kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store

Note: You must run the port forwarding command in a separate terminal window, or run the command in the background: kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &

Edit your /etc/hosts file for Port Forwarding

Use the following script to add a new local entry to /etc/hosts:

METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"

# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Configure the Insight plug-in

Because you deployed Supply Chain Security Tools (SCST) - Store without using Ingress, you must use the Certificate resource app-tls-cert for HTTPS communication.

To get the CA Certificate:

kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt

Important

The tanzu insight config set-target does not initiate a test connection. Use tanzu insight health to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.