This topic describes how you can deploy and configure your Kubernetes cluster for Supply Chain Security Tools (SCST) - Store.
The installation creates the following in your Kubernetes cluster:
Four components:
metadata-store
API back endServices for each of the four components:
metadata-store-app
metadata-store-db
amr-cloudevent-handler
. If AMR is deployed, see Deploying AMR.amr-graphql-app
. If AMR is deployed, see Deploying AMR.A namespace called metadata-store
.
postgres-db-pv-claim
in the metadata-store
namespace.tap
is installed to allow pulling SCST - Store images from a registry.Two ClusterRoles:
metadata-store-read-write-client
is bound to a service account by default, giving the service account read and write privilegesmetadata-store-read-only
isn’t bound to any service accounts, you can bind to it if needed. See Service Accounts.(Optional) An HTTPProxy object for ingress support.
All configurations are nested inside metadata_store
in your Tanzu Application Platform values deployment YAML. AMR-specific configurations are nested under amr
in the metadata_store
section.
VMware recommends the following connection methods for Tanzu Application Platform:
Ingress
.LoadBalancer
support configuration, use LoadBalancer
.LoadBalancer
configuration, use NodePort
.Multicluster without Contour configuration is not supported. For a production environment, VMware recommends installing SCST - Store with ingress enabled.
The Metadata Store app service type is configured inside the metadata_store
property of the values file.
metadata_store:
app_service_type: "ClusterIP"
Supported values include:
LoadBalancer
ClusterIP
NodePort
The app_service_type
is set to ClusterIP
by default.
The SCST - Store values file allows you to enable ingress support and to configure a custom domain name to use Contour to provide external access to the SCST - Store API. These ingress configurations are shared for the Metadata Store and AMR. Enabling ingress for the Metadata Store enables it for both the Metadata Store and AMR.
For example:
metadata_store:
ingress_enabled: "true"
ingress_domain: "example.com"
app_service_type: "ClusterIP" # recommended setting when ingress is enabled
An HTTPProxy object is installed with metadata-store.example.com
as the FQDN. For more information, see Ingress.
ImportantThe
ingress_enabled
property expects a string value of"true"
or"false"
, not a Boolean value.
You can start using the Metadata Store with the default database included with the deployment. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, and failover. However, it is a secure deployment.
You can configure the deployment to use your own RDS database instead of the default. For more information, see Edit your AWS RDS PostgreSQL configuration.
You can configure the deployment to use any other PostgreSQL database. For more information, see Use an external PostgreSQL database for SCST - Store.
By default, a database password is generated after deployment. To configure a custom password, use the metadata_store.db_password
property in the values file.
ImportantThere is a known issue related to changing database passwords. For more information, see Persistent volume retains data.
To configure a custom database password for AMR:
metadata_store:
db_password: "PASSWORD"
Where PASSWORD
is the same password used for both deployments.
By default, a service account with read-write privileges to the Metadata Store app is installed. This service account is a cluster-wide account that uses ClusterRole. If you don’t want the service account and role, set the add_default_rw_service_account
property to "false"
. To create a custom service account, see Retrieve and create service accounts.
The store creates a read-only cluster role, which is bound to a service account by using ClusterRoleBinding
. To create service accounts to bind to this cluster role, see Retrieve and create service accounts.
SCST - Store creates a Secret Export for exporting certificates to SCST - Store to securely post scan results. These certificates are exported to the namespace where SCST - Store is installed.