Refreshing the ECR Credentials in Kubernetes

During the initial CDF installation, the credentials and the URL for the ECR (Elastic Container Repository) are passed through environment variables ECR_USER_NAME, ECR_USER_PASSWORD and ECR_URL. All of these values are then stored inside Kubernetes as Docker secrets for use, in CDF during installation as well by your ArcSight Suite products.

The security policy on AWS ECR requires that the ECR_USER_PASSWORD is valid for 12 hours after creation. The following scenarios require a refresh of the password used to access the Docker images stored in the ECR when:

• The bootstrap of CDF was performed on port 3000 more than 12 hours before installation
• You need to add a new capability to the suite, images are uploaded but not registered on CDF
• You are performing a suite upgrade

In such cases, replace the stored user password with a freshly generated one

To refresh the credentials:

1. On the bastion, change directory to arcsight-platform-cloud-installer-22.1.X.X/aws-scripts/scripts.

2. Generate a new ecr_credentials snippet by running the command:
   

   ./upload_images_to_ECR --get-ecr-credentials

3. Add the retrieved values to the environment:
   

   source ecr_credentials

4. Run the following script to create a set of JSON files to be applied to the cluster:
   

   ./generate_aws_secret

   The script has no output, except when one or more required environment variables (ECR_USER_NAME, ECR_USER_PASSWORD or ECR_URL) are empty. This procedure though generates several new files named secret_xxxx.json in the directory where you ran the generate_aws_secret script.

5. Execute the following command to apply all generated files to Kubernetes:

   kubectl apply -f secret_core.json

6. Verify in the CDF, if all required or missing images are available when uploaded to the ECR correctly.