Refreshing the ECR Credentials in Kubernetes

During the initial OMT installation, the credentials and the URL for the ECR (Elastic Container Repository) are passed through environment variables ECR_USER_NAME, ECR_USER_PASSWORD and ECR_URL. All of these values are then stored inside Kubernetes as Secrets for use in OMT during installation as well by your ArcSight Suite products.

The security policy on AWS ECR requires that the ECR_USER_PASSWORD is valid for 12 hours after creation. The following scenarios require a refresh of the password used to access the Docker images stored in the ECR when:

In such cases, replace the stored user password with a freshly generated one

To refresh the credentials:

  1. On the bastion, change directory to arcsight-platform-cloud-installer-23.2.X/aws-scripts/scripts.

  2. Generate a new ecr_credentials snippet by running the command:

    ./upload_images_to_ECR --get-ecr-credentials
  3. Add the retrieved values to the environment:

    source ecr_credentials
  4. Run the following script to create a set of JSON files to be applied to the cluster:

    ./generate_aws_secret
    The script has no output, except when one or more required environment variables (ECR_USER_NAME, ECR_USER_PASSWORD or ECR_URL) are empty. This procedure though generates several new files named secret_xxxx.json in the directory where you ran the generate_aws_secret script.
  5. Execute the following command to apply all generated files to Kubernetes:

    kubectl apply -f secret_core.json
  6. Verify in the OMT, if all required or missing images are available when uploaded to the ECR correctly.