chore(ci): update to silkbomb 2.0 (#6734)

Author: wratner

.evergreen/buildvariants-and-tasks.in.yml

@@ -32,31 +32,31 @@ const PACKAGE_BUILD_VARIANTS = [
     // # when compiling/re-building addons. This ensures compatibility with other
     // # debian platforms that have glibc 2.27 or newer.
     run_on: 'ubuntu1804-large',
-    silk_asset_group: 'compass-ubuntu',
+    target_platform: 'ubuntu',
   },
   {
     name: 'package-windows',
     display_name: 'Package Windows',
     run_on: 'windows-vsCurrent-large',
-    silk_asset_group: 'compass-windows',
+    target_platform: 'windows',
   },
   {
     name: 'package-rhel',
     display_name: 'Package RHEL',
     run_on: 'rhel80-large',
-    silk_asset_group: 'compass-rhel',
+    target_platform: 'rhel',
   },
   {
     name: 'package-macos-x64',
     display_name: 'Package MacOS Intel',
     run_on: 'macos-14',
-    silk_asset_group: 'compass-macos',
+    target_platform: 'macos',
   },
   {
     name: 'package-macos-arm',
     display_name: 'Package MacOS Arm64',
     run_on: 'macos-14-arm64',
-    silk_asset_group: 'compass-macos-arm',
+    target_platform: 'macos-arm',
   }
 ];
 

.evergreen/buildvariants-and-tasks.yml

@@ -33,7 +33,7 @@ buildvariants:
         run_on: macos-14-arm64-gui
   - name: package-ubuntu
     expansions:
-      silk_asset_group: compass-ubuntu
+      target_platform: ubuntu
     display_name: Package Ubuntu
     run_on: ubuntu1804-large
     tasks:
@@ -42,7 +42,7 @@ buildvariants:
       - name: package-compass-readonly
   - name: package-windows
     expansions:
-      silk_asset_group: compass-windows
+      target_platform: windows
     display_name: Package Windows
     run_on: windows-vsCurrent-large
     tasks:
@@ -51,7 +51,7 @@ buildvariants:
       - name: package-compass-readonly
   - name: package-rhel
     expansions:
-      silk_asset_group: compass-rhel
+      target_platform: rhel
     display_name: Package RHEL
     run_on: rhel80-large
     tasks:
@@ -60,7 +60,7 @@ buildvariants:
       - name: package-compass-readonly
   - name: package-macos-x64
     expansions:
-      silk_asset_group: compass-macos
+      target_platform: macos
     display_name: Package MacOS Intel
     run_on: macos-14
     tasks:
@@ -69,7 +69,7 @@ buildvariants:
       - name: package-compass-readonly
   - name: package-macos-arm
     expansions:
-      silk_asset_group: compass-macos-arm
+      target_platform: macos-arm
     display_name: Package MacOS Arm64
     run_on: macos-14-arm64
     tasks:

.evergreen/create-sbom.sh

@@ -7,27 +7,26 @@ CRYPT_SHARED_VERSION=$(cat packages/compass/src/deps/csfle/version)
 
 set +x
 echo "${ARTIFACTORY_PASSWORD}" > /tmp/artifactory_password
-cat << EOF > /tmp/silkbomb.env
-SILK_CLIENT_ID=${SILK_CLIENT_ID}
-SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
-EOF
 set -x
 
 trap_handler() {
-  rm -vf /tmp/artifactory_password /tmp/silkbomb.env
+  rm -vf /tmp/artifactory_password
 }
 trap trap_handler ERR EXIT
 
-scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/silkbomb.env /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
+scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
 ssh -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -p "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME" \
   "(cat /tmp/dependencies.json | jq -r '.[] | "'"pkg:npm/" + .name + "@" + .version'"' > /tmp/purls.txt) && \
   echo "pkg:generic/mongo_crypt_shared@${CRYPT_SHARED_VERSION}" >> /tmp/purls.txt && \
-  (cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactor_password ) && \
-  docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 && \
-  docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
+  (cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactory_password ) && \
+  docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 && \
+  docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \
     --purls /tmp/purls.txt --sbom-out /tmp/sbom-lite.json && \
-  docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
-    --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /tmp/sbom-lite.json && \
-  docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
-    --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /tmp/sbom.json"
-scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/
+  kondukto_token=\$(AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
+                  AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
+                  AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
+                  aws secretsmanager get-secret-value --secret-id \"kondukto-token\" --query 'SecretString' --output text) && \
+  echo \"KONDUKTO_TOKEN=\$kondukto_token\" > /tmp/kondukto_credentials.env && \
+  docker run --env-file /tmp/kondukto_credentials.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \
+    --repo mongodb-js/compass --branch ${KONDUKTO_BRANCH} --sbom-in /tmp/sbom-lite.json --sbom-out /tmp/sbom.json"
+scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/

.evergreen/functions.yml

@@ -413,10 +413,15 @@ functions:
           # Load environment variables
           eval $(.evergreen/print-compass-env.sh)
           cd packages/compass && npm run prepackage-compass
+    - command: ec2.assume_role
+      display_name: Assume IAM role with permissions to pull Kondukto API token
+      params:
+        role_arn: ${kondukto_role_arn}
     - command: shell.exec
       params:
         working_dir: src
         shell: bash
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
         env:
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
@@ -425,10 +430,8 @@ functions:
           SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
           SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
           SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
-          # for Silk SBOM integration
-          SILK_ASSET_GROUP: ${silk_asset_group}
-          SILK_CLIENT_ID: ${silk_client_id}
-          SILK_CLIENT_SECRET: ${silk_client_secret}
+          # for SilkBomb integration
+          KONDUKTO_BRANCH: ${branch_name}_${target_platform}
         script: |
           set -e