Use your NodePort with Supply Chain Security Tools - Store
This topic describes how you can use your NodePort with Supply Chain Security Tools (SCST) - Store.
Overview
NoteThe recommended service type is Ingress. NodePort is only recommended when the cluster does not support Ingress or the cluster does not support the LoadBalancer service type.
NodePortis not supported for a multicluster setup, as certificates cannot be modified.
You must use port forwarding when using the NodePort configuration.
Configure port-forwarding for the service so that the insight plug-in can access SCST - Store. You can configure port-forwarding in a separate terminal window or in the background.
From a separate terminal window, run:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store
Alternatively, run the following command in the background:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &
Edit your /etc/hosts file for port-forwarding
Use the following script to add a new local entry to /etc/hosts:
METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"
# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts
echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null
Configure the Insight plug-in
Because you deployed Supply Chain Security Tools (SCST) - Store without using Ingress, you must use the Certificate resource app-tls-cert for HTTPS communication.
To get the CA Certificate:
kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
Set the target by running:
tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt
ImportantThe
tanzu insight config set-targetdoes not initiate a test connection. Usetanzu insight healthto test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.
