Use your NodePort with Supply Chain Security Tools - Store

This topic describes how you can use your NodePort with Supply Chain Security Tools (SCST) - Store.

Overview

The recommended service type is Ingress. NodePort is only recommended when the cluster does not support Ingress or the cluster does not support the LoadBalancer service type. NodePort is not supported for a multicluster setup because certificates cannot be modified.

You must use port forwarding when using the NodePort configuration.

Configure port-forwarding for the service so that the insight plug-in can access SCST - Store. You can configure port-forwarding in a separate terminal window or in the background.

  • From a separate terminal window, run:

    kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store

  • Alternatively, in the background run:

    kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &

Edit your /etc/hosts file for port-forwarding

Use the following script to add a new local entry to /etc/hosts:

METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"

# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Configure the Insight plug-in

Because you deployed Supply Chain Security Tools (SCST) - Store without using Ingress, you must use the Certificate resource app-tls-cert for HTTPS communication.

To get the CA Certificate:

kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt
Important

The tanzu insight config set-target does not initiate a test connection. Use tanzu insight health to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.

check-circle-line exclamation-circle-line close-line
Scroll to top icon