1. Deploying Siebel CRM Containers on Kubernetes using Siebel Cloud Manager
  2. Updating Siebel Helm Releases with Custom Non-Root User ID and Group ID

Updating Siebel Helm Releases with Custom Non-Root User ID and Group ID

To update Helm release files with custom non-root user ID and group ID:

  1. Verify that the Flux components, Helm releases, deployments, and pods are healthy and running without errors:
    cd /home/opc/siebel/<ENV_ID>/
source k8sprofile

flux get all -n <env_namespace>
kubectl get helmrelease -n <env_namespace>
helm ls -n <env_namespace>
kubectl get pods -n <env_namespace>

    You must proceed only when the environment is stable, that is:

    • flux get all does not show failing reconciliations.
    • kubectl get helmrelease shows READY=True for all relevant Helm releases.
    • helm ls shows STATUS=deployed for all relevant Helm charts.
    • kubectl get pods shows workload pods in Running state and completed job pods in Completed state.
  2. Pull the latest Git changes:
    cd /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager
git pull
cd /home/opc/siebel/<ENV_ID>/<env_namespace>-helmcharts
git pull
  3. Update the Siebel Gateway Helm release as follows:
    1. Open the Siebel Gateway Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/apps/base/siebel/siebel-gateway.yaml
    2. Under spec.values, add the securityContext section. If logging is enabled, also add logging.securityContext.runAsUser:
      apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
   name: siebel-gateway
   namespace: <env_namespace>
spec:
   releaseName: siebel-gateway
   chart:
      spec:
         chart: ./siebel-gateway
         sourceRef:
            kind: GitRepository
            name: <flux_helm_repo_name>
            namespace: <flux_helm_repo_namespace>
   interval: 30m
   install:
      timeout: 60m
   upgrade:
         timeout: 60m
         remediation:
            retries: 3
            remediateLastFailure: true
            strategy: rollback
   uninstall:
      timeout: 30m
   values:
      image:
         siebel:
               imagePullPolicy: Always
               registry: <user_registry_url>
               repository: <registry_prefix>/<env_namespace>/siebel
               tag: <target_siebel_image_tag>
         busybox:
               imagePullPolicy: Always
               registry: <user_registry_url>
               repository: <registry_prefix>/<env_namespace>/cm/base-builder
               tag: <base_builder_tag_from_siebel_images_yaml>
      logging:
               enableLogging: <true_or_false>
               image:
                  imagePullPolicy: Always
                  registry: <user_registry_url>
                  repository: <registry_prefix>/<env_namespace>/cm/fluentd-collector
                  tag: <fluentd_collector_tag>
               securityContext:
                  runAsUser: <siebel_run_as_user>
      securityContext:
            runAsGroup: <siebel_run_as_group>
            runAsUser: <siebel_run_as_user>
            fsGroup: <siebel_fs_group>
  4. Update the Siebel Config Helm release:
    1. Open the Siebel Config Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/apps/base/siebel/siebel-config.yaml
    2. Under spec.values, add the securityContext section. Retain the existing environment-specific Git, registry, database, and image configuration values:
      apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
   name: siebel-config
   namespace: <env_namespace>
spec:
   releaseName: siebel-config
   chart:
      spec:
         chart: ./siebel-config
         sourceRef:
            kind: GitRepository
            name: <flux_helm_repo_name>
            namespace: <flux_helm_repo_namespace>
   interval: 10m
   install:
      timeout: 120m
   upgrade:
      timeout: 120m
      remediation:
         retries: 3
         remediateLastFailure: true
         strategy: rollback
   uninstall:
      timeout: 30m
   values:
      image:
         busybox:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/base-builder
            tag: <base_builder_tag_from_siebel_images_yaml>
         configure:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/sieb-config
            tag: <sieb_config_tag_from_siebel_images_yaml>
         dbutils:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/dbutils
            tag: <dbutils_tag_from_siebel_images_yaml>
         utils:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/utils
            tag: <utils_tag_from_siebel_images_yaml>
      securityContext:
         runAsGroup: <siebel_run_as_group>
         runAsUser: <siebel_run_as_user>
         fsGroup: <siebel_fs_group>
  5. Update the Siebel Runtime Helm release as follows:
    1. Open the Siebel Runtime Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/apps/base/siebel/siebel.yaml
    2. Under spec.values, add the securityContext section. If logging is enabled, also add logging.securityContext.runAsUser:
      apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
   name: siebel
   namespace: <env_namespace>
spec:
   releaseName: siebel
   chart:
      spec:
         chart: ./siebel
         sourceRef:
            kind: GitRepository
            name: <flux_helm_repo_name>
            namespace: <flux_helm_repo_namespace>
   interval: 30m
   install:
      timeout: 120m
   upgrade:
      timeout: 120m
      remediation:
         retries: 3
         remediateLastFailure: true
         strategy: rollback
   uninstall:
      timeout: 30m
   values:
      image:
         siebel:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/siebel
            tag: <target_siebel_image_tag>
         busybox:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/base-builder
            tag: <base_builder_tag_from_siebel_images_yaml>
         dbutils:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/dbutils
            tag: <dbutils_tag_from_siebel_images_yaml>
         utils:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/utils
            tag: <utils_tag_from_siebel_images_yaml>
      logging:
         enableLogging: <true_or_false>
         image:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/fluentd-collector
            tag: <fluentd_collector_tag>
         securityContext:
            runAsUser: <siebel_run_as_user>
      securityContext:
         runAsGroup: <siebel_run_as_group>
         runAsUser: <siebel_run_as_user>
         fsGroup: <siebel_fs_group>
  6. Update the Siebel Artifacts Helm release as follows:
    1. Open the Siebel Artifacts Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/apps/base/siebel/siebel-artifacts.yaml
    2. Under spec.values, add the securityContext section:
      apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
   name: siebel-artifacts
   namespace: <env_namespace>
spec:
   releaseName: siebel-artifacts
   chart:
      spec:
            chart: ./siebel-artifacts
            sourceRef:
        kind: GitRepository
        name: <flux_helm_repo_name>
        namespace: <flux_helm_repo_namespace>
   interval: 5m
   install:
      timeout: 60m
   upgrade:
      timeout: 60m
      remediation:
         retries: 3
         remediateLastFailure: true
         strategy: rollback
   uninstall:
      timeout: 30m
   values:
      image:
         siebel:
            base_image: <user_registry_url>/<registry_prefix>/<env_namespace>/siebel:<target_siebel_version>-full
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/siebel
            tag: <target_custom_siebel_image_tag>
         customImageBuilder:
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/custom_image_builder
            tag: <custom_image_builder_tag_from_siebel_images_yaml>
         busybox:
            imagePullPolicy: Always
            registry: <user_registry_url>
            repository: <registry_prefix>/<env_namespace>/cm/base-builder
            tag: <base_builder_tag_from_siebel_images_yaml>
      imageBuilder:
         privileged: <false_for_OCNE_and_OpenShift_true_for_other_cluster_types>
      securityContext:
         runAsGroup: <siebel_run_as_group>
         runAsUser: <siebel_run_as_user>
         fsGroup: <siebel_fs_group>
  7. Update the Metacontroller Helm release as follows:
    1. Open the Metacontroller Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/metacontroller/release.yaml
    2. Under spec.values, add the podSecurityContext section:
      values:
   image:
      registry: <user_registry_url>
      repository: <registry_prefix>/<env_namespace>/cm/metacontroller
      pullPolicy: Always
      tag: <metacontroller_tag>
   podSecurityContext:
      runAsNonRoot: true
      runAsUser: <siebel_run_as_user>
      runAsGroup: <siebel_run_as_group>
      fsGroup: <siebel_fs_group>
  8. Update the Traefik Helm release as follows:
    1. Open the Traefik Helm release file:
      vi /home/opc/siebel/<ENV_ID>/<env_namespace>-cloud-manager/flux-crm/traefik/traefik-controller/release.yaml
    2. Under spec.values, add the podSecurityContext section:
      values:
   podSecurityContext:
      runAsGroup: <siebel_run_as_group>
      runAsNonRoot: true
      runAsUser: <siebel_run_as_user>
      seccompProfile:
         type: RuntimeDefault

In the above examples:

  • runAsNonRoot ensures that the component runs as a non-root user.
  • <siebel_run_as_user> specifies the user ID under which the component container processes run.
  • <siebel_run_as_group> specifies the group ID under which the component container processes run.
  • <siebel_fs_group> specifies the file system group ID used for access to shared volumes.

For more details about the securityContext and podSecurityContext parameters, see Payload Parameters for Siebel CRM Deployment.