Upload Product Images to the Artifact Registry

The ArcSight capabilities will be deployed to a Google Kubernetes Engine Cluster.

The capabilities are deployed by using several Docker container images into the respective nodes for the cluster. Those containers must be uploaded to an Artifact Registry Repository in Google Cloud to be visible and configurable for the cluster.

Uploading the files to a secure network location

To identify the files to download to your secure network location, see "Downloading and Installing the ArcSight Platform Installation Files" in the Release Notes for ArcSight Platform 23.3.

The bastion VM is the one being used in the examples provided below, but any secure network location that has access to the registry (https://-docker.pkg.dev) and has the Google Cloud CLI will be able to upload the images.

Make sure you have the right credentials to copy files to this network location, to avoid issues when accessing the files.

These example commands assume that the installation files have been uploaded to a Cloud Storage Bucket (for example, gs://arcsight-installers-stable). Other methods can also be used to copy installation files to the bastion VM (scp for example).

mkdir ~/arcsight
cd ~/arcsight
gsutil -m cp gs://arcsight-installers-stable/arcsight-platform-cloud-installer-XX.X.X.X.zip .
gsutil -m cp gs://arcsight-installers-stable/23.3.x/layered-analytics-* .
gsutil -m cp gs://arcsight-installers-stable/23.3.x/intelligence* .
gsutil -m cp gs://arcsight-installers-stable/23.3.x/recon-* .
gsutil -m cp gs://arcsight-installers-stable/23.3.x/fusion-* .
gsutil -m cp gs://arcsight-installers-stable/23.3.x/transformationhub-* .
unzip  ~/arcsight/arcsight-platform-cloud-installer-XX.X.X.X.zip
unzip ~/arcsight/arcsight-platform-cloud-installer-XX.X.X.X/cdf-deployer.zip
unzip ~/arcsight/arcsight-platform-cloud-installer-XX.X.X.X/gcp-scripts.zip

Upon successful completion of the commands above, you should see a new directory named ~/arcsight-platform-cloud-installer-XX.X.X.X with the following structure:

[root@cdf-bastion arcsight23-1]# tree -d
.
├── arcsight-platform-cloud-installer-23.x.x.x
│   ├── cdf-deployer
│   │   ├── bin
│   │   ├── cdf
│   │   │   ├── cfg
│   │   │   ├── charts
│   │   │   ├── objectdefs
│   │   │   ├── properties
│   │   │   │   └── images
│   │   │   └── ssl
│   │   │       └── certs
│   │   ├── licenses
│   │   ├── scripts
│   │   └── tools
│   │       ├── cdf-doctor
│   │       │   └── cfg
│   │       ├── generate-download
│   │       ├── postgres-backup
│   │       └── silent-install
│   └── fusion-1.5.x.xx
└── transformationhub-3.6.x.xx

Upload the product images to the Artifact Registry from your secure network location

The Artifactory Registry is an Google Managed managed Container Registry. OMT and Kubernetes will search for product images to download from the Artifactory Registry and instantiate them.

The Artifactory Registry is accessible from the internet and protected by username and password credentials. You can perform tasks in this section from a local host or from the bastion, as long as the Google Cloud CLI has been configured.

Uploading images requires the uploadimages.sh script to be installed and located in the /cdf-deployer/scripts/ directory.

Follow these steps to upload the files to the registry (in this example, from the bastion):

  1. Generate a JSON key file for the account with the necessary privileges and upload it to the bastion

  2. From the bastion OS login to your Google Cloud account using the following command:

    gcloud auth login

  3. Generate a JSON Key file for the Service Account by executing the following command from the bastion server:

    There are several approaches that can be used to generate this key file, and you must select the one that better adapts to your security and organization policies. The one used here as an example is the simplest approach.
    gcloud iam service-accounts keys create <KEY_FILE> \
--iam-account=<SERVICE_ACCOUNT_EMAIL>

    Where:

    <KEY_FILE> refers to the path and file name for the JSON key file to be generated

    <SERVICE_ACCOUNT_EMAIL> the identifier email ID generated in Identity and Access Management (IAM)

    Important: The above command will generate a KEY_File, which must be safeguarded against misuse, to prevent it from becoming a security risk.

  4. Activate the service account impersonation using the key file:

    gcloud auth activate-service-account --key-file=<SA-KEY_FILE>.json

    Where:

    <SA-KEY_FILE> is the name of the previously generated key file

  5. Logon to the Artifact Repository with this command:

    gcloud auth print-access-token --impersonate-service-account <GCP-SERVICE-ACCOUNT>@<PROJECT-ID>.iam.gserviceaccount.com | docker login -u oauth2accesstoken --password-stdin https://<ARTIFACTORY-REGION>-docker.pkg.dev

    Where:

    <GCP-SERVICE-ACCOUNT>@<PROJECT-ID> is the service account used to generate the key file

    <ARTIFACTORY-REGION> is the zone where your Artifact Registry has been setup

  6. Upload the installation files to the Artifact Registry using the modified uploadimages.sh script:

    The uploadimages.sh script is located under the cloud platform installer directory: /cdf-deployer/scripts/.
    ./uploadimages.sh -y -r <REGION>-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 100000000000 -c 8 -o <ORGANIZATION> -F <IMAGE_FILE_PATH>cdf-byok-images.tar

    Where:

    <REGION> is the region where your Artifact Registry repository was created, see Create the Artifactory Registry

    <IMAGE_FILE_PATH> is the path to where the TAR files are stored

    <ORGANIZATION> is your organization

    The following example shows the command being executed for each product image:

    ./uploadimages.sh -y -r us-central1-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 5000000000 -c 8 -o security-arcsight-nonprod/arcsight-image-repository-3c8p -F /opt/arcsight23-1/arcsight-platform-cloud-installer-23.1.0.8/cdf-byok-images.tar
./uploadimages.sh -y -r us-central1-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 5000000000 -c 8 -o security-arcsight-nonprod/arcsight-image-repository-3c8p -F /opt/arcsight23-1/fusion-1.6.1.6.tar
./uploadimages.sh -y -r us-central1-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 5000000000 -c 8 -o security-arcsight-nonprod/arcsight-image-repository-3c8p -F /opt/arcsight23-1/intelligence-6.4.4.6.tar
./uploadimages.sh -y -r us-central1-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 5000000000 -c 8 -o security-arcsight-nonprod/arcsight-image-repository-3c8p -F /opt/arcsight23-1/transformationhub-3.7.0.6.tar
./uploadimages.sh -y -r us-central1-docker.pkg.dev -b "$(gcloud auth print-access-token)" -k 5000000000 -c 8 -o security-arcsight-nonprod/arcsight-image-repository-3c8p -F /opt/arcsight23-1/recon-1.5.1.6.tar

    After the execution of this command, all the container images are uploaded to the Artifact Registry and ready to be deployed to a GKE Cluster (created in Google Kubernetes Engine Cluster ).