This topic describes how you can use your NodePort
with Supply Chain Security Tools (SCST) - Store.
The recommended service type is Ingress. NodePort
is only recommended when the cluster does not support Ingress or the cluster does not support the LoadBalancer service type. NodePort
is not supported for a multicluster setup because certificates cannot be modified.
You must use port forwarding when using the NodePort
configuration.
Configure port-forwarding for the service so that the insight plug-in can access SCST - Store. You can configure port-forwarding in a separate terminal window or in the background.
From a separate terminal window, run:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store
Alternatively, in the background run:
kubectl port-forward service/metadata-store-app 8443:8443 -n metadata-store &
Use the following script to add a new local entry to /etc/hosts
:
METADATA_STORE_PORT=$(kubectl get service/metadata-store-app --namespace metadata-store -o jsonpath="{.spec.ports[0].port}")
METADATA_STORE_DOMAIN="metadata-store-app.metadata-store.svc.cluster.local"
# delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts
echo "127.0.0.1 $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null
Because you deployed Supply Chain Security Tools (SCST) - Store without using Ingress, you must use the Certificate resource app-tls-cert
for HTTPS communication.
To get the CA Certificate:
kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
Set the target by running:
tanzu insight config set-target https://$METADATA_STORE_DOMAIN:$METADATA_STORE_PORT --ca-cert insight-ca.crt
ImportantThe
tanzu insight config set-target
does not initiate a test connection. Usetanzu insight health
to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.