This topic describes how you can configure your target endpoint and certificate for Supply Chain Security Tools (SCST) - Store.
The connection to SCST - Store requires TLS encryption, and the configuration depends on the kind of installation.
For a production environment, VMware recommends that SCST - Store is installed with ingress enabled. The following instructions help set up the TLS connection if you deployed with ingress enabled.
When using an Ingress setup, SCST - Store creates a specific TLS Certificate for HTTPS communications under the metadata-store
namespace.
Set the endpoint host to:
metadata-store.INGRESS-DOMAIN
Where INGRESS-DOMAIN
is the value of the ingress_domain
property in your deployment YAML
Example:
metadata-store.example.domain.com
NoteIn a multicluster setup, a DNS record is required for the domain. The following instructions for single cluster setup do not apply, skip to the Set the target section.
In a single-cluster setup, a DNS record is still recommended. However, if no accessible DNS record exists for the domain, edit the /etc/hosts
file to add a local record:
ENVOY_IP=$(kubectl get svc envoy -n tanzu-system-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
# Replace with your domain
METADATA_STORE_DOMAIN="metadata-store.example.domain.com"
# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts
echo "$ENVOY_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null
To get the certificate, run:
kubectl get secret tap-ingress-selfsigned-root-ca -n cert-manager -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt
Set the target by running:
tanzu insight config set-target https://$METADATA_STORE_DOMAIN --ca-cert insight-ca.crt
ImportantThe
tanzu insight config set-target
does not initiate a test connection. Usetanzu insight health
to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.
For information about deploying SCST - Store without Ingress, see: