The installation creates the following in your Kubernetes cluster:
- Two components — an API backend and a database.
Each component includes:
- service
- deployment
- replicaset
- pod
- Persistent volume and persistent volume claim.
- External IP (based on a deployment configuration set to use
LoadBalancer
). - A Kubernetes secret to allow pulling Supply Chain Security Tools - Store images from a registry.
- A namespace called
metadata-store
. - A service account with read-write privileges named
metadata-store-read-write-client
. It's bound to a ClusterRole namedmetadata-store-read-write
. - A read-only ClusterRole named
metadata-store-read-only
that isn't bound to a service account. See Service Accounts.
The default database that ships with the deployment is meant to get users started using the metadata store. The default database deployment does not support many enterprise production requirements, including scaling, redundancy, or failover. However, it is still a secure deployment.
Users can also configure the deployment to use their own RDS database instead of the default. See AWS RDS Postgres Configuration.
By default, a database password is generated automatically upon deployment. To configure a custom password, use the db_password
property in the metadata-store-values.yaml
during deployment.
db_password: "PASSWORD-0123"
If you're deploying with TAP profiles, in tap-values.yaml
, put:
metadata_store:
db_password: "PASSWORD-0123"
Where PASSWORD-0123
is the same password used between deployments.
Note: there is a known issue related to changing database passwords Known Issues - Persistent Volume Retains Data.
If your environment does not support LoadBalancer
, and you want to use NodePort
, configure the app_service_type
property in your metadata-store-values.yaml
:
app_service_type: "LoadBalancer"
By default, a service account with read-write privileges to the metadata store app is installed.
This service account is a cluster-wide account that uses ClusterRole.
If you don't want the service account and role, set the add_default_rw_service_account
property to "false"
.
To create a custom service account, see create service account.
The store will automatically create a read-only cluster role, which may be bound to a service account via ClusterRoleBinding
. To create service accounts to bind to this cluster role, see create service account.
Supply Chain Security Tools - Store creates Secret Export for exporting certificates to Supply Chain Security Tools - Scan
to securely post scan results. These certificates are exported to the namespace where Supply Chain Security Tools - Scan
is installed.