Configure your target endpoint and certificate for Supply Chain Security Tools - Store

This topic describes how you can configure your target endpoint and certificate for Supply Chain Security Tools (SCST) - Store.

Overview

The connection to SCST - Store requires TLS encryption, and the configuration depends on the kind of installation.

For a production environment, VMware recommends that SCST - Store is installed with ingress enabled. The following instructions help set up the TLS connection if you deployed with ingress enabled.

Using Ingress

When using an Ingress setup, SCST - Store creates a specific TLS Certificate for HTTPS communications under the metadata-store namespace.

Set the endpoint host to:

metadata-store.INGRESS-DOMAIN

Where INGRESS-DOMAIN is the value of the ingress_domain property in your deployment YAML

Example:

metadata-store.example.domain.com
Note

In a multicluster setup, a DNS record is required for the domain. The following instructions for single cluster setup do not apply, skip to the Set the target section.

Single-cluster setup

In a single-cluster setup, a DNS record is still recommended. However, if no accessible DNS record exists for the domain, edit the /etc/hosts file to add a local record:

ENVOY_IP=$(kubectl get svc envoy -n tanzu-system-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")

# Replace with your domain
METADATA_STORE_DOMAIN="metadata-store.example.domain.com"

# Delete any previously added entry
sudo sed -i '' "/$METADATA_STORE_DOMAIN/d" /etc/hosts

echo "$ENVOY_IP $METADATA_STORE_DOMAIN" | sudo tee -a /etc/hosts > /dev/null

Set the target

To get the certificate, run:

kubectl get secret tap-ingress-selfsigned-root-ca -n cert-manager -o json | jq -r '.data."ca.crt"' | base64 -d > insight-ca.crt

Set the target by running:

tanzu insight config set-target https://$METADATA_STORE_DOMAIN --ca-cert insight-ca.crt
Important

The tanzu insight config set-target does not initiate a test connection. Use tanzu insight health to test connecting using the configured endpoint and CA certificate. Neither commands test whether the access token is correct. For that you must use the plug-in to add data and query data.

Next Step

Configure access token

Additional Resources

For information about deploying SCST - Store without Ingress, see:

check-circle-line exclamation-circle-line close-line
Scroll to top icon