From 14064763c2ec6642f3148a1cf2fb5fa944f3a66c Mon Sep 17 00:00:00 2001 From: andrpac Date: Thu, 10 Jul 2025 14:48:46 +0100 Subject: [PATCH 1/6] feat: allow unofficial images from ghcr.io to get promoted to official registries --- .github/actions/set-tag/action.yml | 14 ++++- .github/actions/set-tag/entrypoint.sh | 32 ++++++++--- .github/workflows/promote-image.yml | 83 +++++++++++++++++++++++++++ scripts/move-image.sh | 37 ++++++++++++ 4 files changed, 155 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/promote-image.yml create mode 100755 scripts/move-image.sh diff --git a/.github/actions/set-tag/action.yml b/.github/actions/set-tag/action.yml index 7f2c65058f..174b48c782 100644 --- a/.github/actions/set-tag/action.yml +++ b/.github/actions/set-tag/action.yml @@ -1,8 +1,18 @@ name: 'Setup tag for docker image' -description: 'Setup tag for docker image: branch name with commit ID' +description: 'Generates a Docker image tag using branch name and short commit SHA.' +inputs: + branch_name: + description: 'Branch name to use for the tag (e.g., main, feature-xyz). Optional.' + required: false + commit_sha: + description: 'Full commit SHA to extract the short commit ID from. Optional.' + required: false + outputs: tag: - description: 'tag for the image' + description: 'Generated image tag in the format {branch-name}-{6-char-sha}' + runs: using: 'docker' image: 'Dockerfile' + args: [] diff --git a/.github/actions/set-tag/entrypoint.sh b/.github/actions/set-tag/entrypoint.sh index fadde623c0..e2978dcd85 100644 --- a/.github/actions/set-tag/entrypoint.sh +++ b/.github/actions/set-tag/entrypoint.sh @@ -13,17 +13,31 @@ # See the License for the specific language governing permissions and # limitations under the License. - -#set -eou pipefail +set -eou pipefail git config --global --add safe.directory /github/workspace -# Setup tag name -commit_id=$(git rev-parse --short HEAD) -branch_name=${GITHUB_HEAD_REF-} -if [ -z "${branch_name}" ]; then - branch_name=$(echo "$GITHUB_REF" | awk -F'/' '{print $3}') +# Get the full commit hash and shorten to 6 characters +full_commit_sha="${INPUT_COMMIT_SHA:-}" +if [ -z "$full_commit_sha" ]; then + full_commit_sha=$(git rev-parse HEAD) +fi +commit_id=$(echo "$full_commit_sha" | cut -c1-6) + +# Get the full branch name +branch_name="${INPUT_BRANCH_NAME:-}" +if [ -z "$branch_name" ]; then + if [ -n "$GITHUB_HEAD_REF" ]; then + branch_name="$GITHUB_HEAD_REF" + else + branch_name="${GITHUB_REF#refs/heads/}" + fi fi -branch_name=$(echo "${branch_name}" | awk '{print substr($0, 1, 15)}' | sed 's/\//-/g; s/\./-/g') + +# Replace / and . with - +# Then truncate to 15 characters +branch_name=$(echo "$branch_name" | sed 's/[\/\.]/-/g' | awk '{print substr($0, 1, 15)}') + +# Create tag as {branch_name}-{6-digit-commit} tag="${branch_name}-${commit_id}" -echo "tag=$tag" >> "$GITHUB_OUTPUT" +echo "tag=${tag}" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/promote-image.yml b/.github/workflows/promote-image.yml new file mode 100644 index 0000000000..17009e1384 --- /dev/null +++ b/.github/workflows/promote-image.yml @@ -0,0 +1,83 @@ +name: Promote Image + +on: + workflow_run: + workflows: ["Test"] + types: [completed] + +jobs: + promote-image: + runs-on: ubuntu-latest + environment: release + if: | + github.event.workflow_run.head_branch == 'main' && + github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.event == 'schedule' + env: + GHCR_REPO: ghcr.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease + DOCKER_REPO: docker.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease + QUAY_REPO: quay.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease + steps: + - name: Checkout PR commit + uses: actions/checkout@v4 + + # Note, we have to be careful how we retrive the image. The event that pushed + # the image to the ghcr.io repo was mainly a push/schedule that passed all the + # tests. This event has access to github.ref_name. However, the workflow_run + # event does not have access github.ref_name set up. + # + # Therefore, we need to manually specify the branch as main + - name: Prepare image tag + id: set_tag + uses: ./.github/actions/set-tag + with: + branch_name: ${{ github.event.workflow_run.head_branch }} + commit_sha: ${{ github.event.workflow_run.head_sha }} + + - name: Log in to the GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Pull unofficial image from GitHub Container Registry + run: | + docker pull ${{ env.GHCR_REPO }}:${{ steps.set_tag.outputs.tag }} + + - name: Login to Docker registry + uses: docker/login-action@v3 + with: + registry: docker.io + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Log in to Quay registry + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_PASSWORD }} + + - name: Prepare tag for promoted image + id: promoted_tag + run: | + RAW_TAG="${{ steps.set_tag.outputs.tag }}" + COMMIT_SHA="${RAW_TAG##*-}" + echo "tag=promoted-${COMMIT_SHA}" >> $GITHUB_OUTPUT + + - name: Move image to Docker Hub + run: ./scripts/move-image.sh + env: + IMAGE_SRC_REPO: ${{ env.GHCR_REPO }} + IMAGE_DEST_REPO: ${{ env.DOCKER_REPO }} + IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }} + IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }} + + - name: Move image to Quay + run: ./scripts/move-image.sh + env: + IMAGE_SRC_REPO: ${{ env.GHCR_REPO }} + IMAGE_DEST_REPO: ${{ env.QUAY_REPO }} + IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }} + IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }} diff --git a/scripts/move-image.sh b/scripts/move-image.sh new file mode 100755 index 0000000000..691dc55cf0 --- /dev/null +++ b/scripts/move-image.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# Copyright 2025 MongoDB Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This scripts moves an image from a registry to another with retagging + +set -euo pipefail + +# Required environment variables +: "${IMAGE_SRC_REPO:?Missing IMAGE_SRC_REPO}" +: "${IMAGE_SRC_TAG:?Missing IMAGE_SRC_TAG}" +: "${IMAGE_DEST_REPO:?Missing IMAGE_DEST_REPO}" +: "${IMAGE_DEST_TAG:?Missing IMAGE_DEST_TAG}" + +image_src_url="${IMAGE_SRC_REPO}:${IMAGE_SRC_TAG}" +image_dest_url="${IMAGE_DEST_REPO}:${IMAGE_DEST_TAG}" + +echo "Checking if ${image_dest_url} already exists..." +if docker manifest inspect "${image_dest_url}" > /dev/null 2>&1; then + echo "${image_dest_url} already exists. Skipping push." +else + echo "Tagging ${image_src_url} -> ${image_dest_url}" + docker tag "${image_src_url}" "${image_dest_url}" + echo "Pushing to ${image_dest_url}..." + docker push "${image_dest_url}" +fi From 843009a4ebb5fd68f32b56cc7dd536141a57cdc6 Mon Sep 17 00:00:00 2001 From: andrpac Date: Fri, 11 Jul 2025 16:15:03 +0100 Subject: [PATCH 2/6] fix: allow test image for both platforms --- .github/workflows/test-e2e.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index eb8500481c..545466e932 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -61,7 +61,7 @@ jobs: repository: ${{ env.REPO }} version: ${{ steps.set_tag.outputs.tag }} tags: ${{ steps.set_image_url.outputs.image_url }} - platforms: linux/amd64 + platforms: linux/amd64,linux/arm64 push_to_docker: false e2e: From 85e5731429dd1d70d47519fcc86924ba2631e8a3 Mon Sep 17 00:00:00 2001 From: andrpac Date: Sun, 13 Jul 2025 20:43:24 +0100 Subject: [PATCH 3/6] feat: create release pipeline --- .../certify-openshift-images/action.yaml | 5 + .../certify-openshift-images/entrypoint.sh | 4 +- .github/workflows/cloud-tests-filter.yml | 2 +- .github/workflows/cloud-tests.yml | 16 -- .github/workflows/promote-image.yml | 32 ++- .github/workflows/release-image.yml | 208 ++++++++++++++++++ .github/workflows/test-e2e.yml | 167 -------------- .github/workflows/test.yml | 40 ---- scripts/move-image.sh | 26 ++- 9 files changed, 247 insertions(+), 253 deletions(-) create mode 100644 .github/workflows/release-image.yml diff --git a/.github/actions/certify-openshift-images/action.yaml b/.github/actions/certify-openshift-images/action.yaml index 5d1d294684..122172b3f5 100644 --- a/.github/actions/certify-openshift-images/action.yaml +++ b/.github/actions/certify-openshift-images/action.yaml @@ -11,6 +11,10 @@ inputs: version: description: The version of the image to be certified required: true + registry_username: + description: The username to access the registry + required: false + default: "mongodb+mongodb_atlas_kubernetes" registry_password: description: The password to access the quay.io registry required: true @@ -31,6 +35,7 @@ runs: REGISTRY: ${{ inputs.registry }} REPOSITORY: ${{ inputs.repository }} VERSION: ${{ inputs.version }} + REGISTRY_USERNAME: ${{ inputs.registry_username }} REGISTRY_PASSWORD: ${{ inputs.registry_password }} RHCC_TOKEN: ${{ inputs.rhcc_token }} RHCC_PROJECT: ${{ inputs.rhcc_project }} diff --git a/.github/actions/certify-openshift-images/entrypoint.sh b/.github/actions/certify-openshift-images/entrypoint.sh index ba6a4ecddb..d1752ea5a1 100644 --- a/.github/actions/certify-openshift-images/entrypoint.sh +++ b/.github/actions/certify-openshift-images/entrypoint.sh @@ -16,7 +16,7 @@ set -eou pipefail -docker login -u mongodb+mongodb_atlas_kubernetes -p "${REGISTRY_PASSWORD}" "${REGISTRY}" +echo "${REGISTRY_PASSWORD}" | docker login -u "${REGISTRY_USERNAME}" --password-stdin "${REGISTRY}" submit_flag=--submit if [ "${SUBMIT}" == "false" ]; then @@ -27,6 +27,6 @@ echo "Check and Submit result to RedHat Connect" # Send results to RedHat if preflight finished wthout errors preflight check container "${REGISTRY}/${REPOSITORY}:${VERSION}" \ --pyxis-api-token="${RHCC_TOKEN}" \ - --certification-project-id="${RHCC_PROJECT}" \ + --certification-component-id="${RHCC_PROJECT}" \ --docker-config="${HOME}/.docker/config.json" \ ${submit_flag} diff --git a/.github/workflows/cloud-tests-filter.yml b/.github/workflows/cloud-tests-filter.yml index dd6eca1628..0fb34f7be7 100644 --- a/.github/workflows/cloud-tests-filter.yml +++ b/.github/workflows/cloud-tests-filter.yml @@ -55,7 +55,7 @@ jobs: ACTOR: ${{ github.actor }} run: | # Evaluate whether or not cloud tests should run - RUN_CLOUD_TESTS='false' + RUN_CLOUD_TESTS='true' # Scheduled runs on default branch always run all tests if [ "${EVENT}" == "schedule" ];then RUN_CLOUD_TESTS='true' diff --git a/.github/workflows/cloud-tests.yml b/.github/workflows/cloud-tests.yml index 96acacc964..4abbdae69f 100644 --- a/.github/workflows/cloud-tests.yml +++ b/.github/workflows/cloud-tests.yml @@ -21,23 +21,7 @@ jobs: - name: allowed message run: echo "Allowed to run" - int-tests: - needs: allowed - uses: ./.github/workflows/test-int.yml - secrets: inherit - e2e-tests: needs: allowed uses: ./.github/workflows/test-e2e.yml secrets: inherit - - test-e2e-gov: - needs: - - allowed - uses: ./.github/workflows/test-e2e-gov.yml - secrets: inherit - - openshift-upgrade-test: - needs: allowed - uses: ./.github/workflows/openshift-upgrade-test.yaml - secrets: inherit diff --git a/.github/workflows/promote-image.yml b/.github/workflows/promote-image.yml index 17009e1384..1ca93fd1cf 100644 --- a/.github/workflows/promote-image.yml +++ b/.github/workflows/promote-image.yml @@ -21,19 +21,6 @@ jobs: - name: Checkout PR commit uses: actions/checkout@v4 - # Note, we have to be careful how we retrive the image. The event that pushed - # the image to the ghcr.io repo was mainly a push/schedule that passed all the - # tests. This event has access to github.ref_name. However, the workflow_run - # event does not have access github.ref_name set up. - # - # Therefore, we need to manually specify the branch as main - - name: Prepare image tag - id: set_tag - uses: ./.github/actions/set-tag - with: - branch_name: ${{ github.event.workflow_run.head_branch }} - commit_sha: ${{ github.event.workflow_run.head_sha }} - - name: Log in to the GitHub Container Registry uses: docker/login-action@v3 with: @@ -41,23 +28,32 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Pull unofficial image from GitHub Container Registry - run: | - docker pull ${{ env.GHCR_REPO }}:${{ steps.set_tag.outputs.tag }} - - name: Login to Docker registry uses: docker/login-action@v3 with: registry: docker.io username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - + - name: Log in to Quay registry uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + + # Note, we have to be careful how we retrive the image. The event that pushed + # the image to the ghcr.io repo was mainly a push/schedule that passed all the + # tests. This event has access to github.ref_name. However, the workflow_run + # event does not have access github.ref_name set up. + # + # Therefore, we need to manually specify the branch as main + - name: Prepare image tag + id: set_tag + uses: ./.github/actions/set-tag + with: + branch_name: ${{ github.event.workflow_run.head_branch }} + commit_sha: ${{ github.event.workflow_run.head_sha }} - name: Prepare tag for promoted image id: promoted_tag diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml new file mode 100644 index 0000000000..cb9b89d3e6 --- /dev/null +++ b/.github/workflows/release-image.yml @@ -0,0 +1,208 @@ +name: Release Image + +on: + workflow_dispatch: + inputs: + version: + description: "Release version (e.g., 1.2.3)" + required: true + type: string + authors: + description: "Comma-separated list of the release authors' emails" + required: true + type: string + commit_sha: + description: "Commit SHA to use for the image (e.g. 7c2a91 or latest)" + required: false + default: "latest" + type: string + push: + branches: + - '**' + +permissions: + contents: write + pull-requests: write + +jobs: + release-image: + runs-on: ubuntu-latest + environment: release + env: + VERSION: test-0.0.1 + AUTHORS: andrei.pacurar@mongodb.com + COMMIT_SHA: 99511c + + DOCKER_RELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator + DOCKER_PRERELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease + DOCKER_SIGNATURE_REPO: docker.io/andrpac/signatures + QUAY_RELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator + QUAY_PRERELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Generate GitHub App Token + id: generate_token + uses: mongodb/apix-action/token@v8 + with: + app-id: ${{ secrets.AKO_RELEASER_APP_ID }} + private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }} + + # Login in into all registries + - name: Log in to Docker registry + uses: docker/login-action@v3 + with: + registry: docker.io + username: ${{ secrets.ANDRPAC_DOCKER_USERNAME }} + password: ${{ secrets.ANDRPAC_DOCKER_PASSWORD }} + + - name: Log in to Quay registry + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.ANDRPAC_QUAY_USERNAME }} + password: ${{ secrets.ANDRPAC_QUAY_PASSWORD }} + + - name: Log in to Artifactory + uses: docker/login-action@v3 + with: + registry: artifactory.corp.mongodb.com + username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} + password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} + + - name: Install devbox + uses: jetify-com/devbox-install-action@v0.13.0 + + - name: Resolve commit SHA and tags + id: tags + run: | + if [ "${{ env.COMMIT_SHA }}" = "latest" ]; then + git fetch origin main + sha=$(git rev-parse origin/main) + else + sha="${{ env.COMMIT_SHA }}" + fi + + short_sha="${sha:0:6}" + promoted_tag="promoted-${short_sha}" + release_tag="${{ env.VERSION }}" + certified_tag="certified-${release_tag}" + + docker_image_url="${{ env.DOCKER_RELEASE_REPO }}:${release_tag}" + quay_image_url="${{ env.QUAY_RELEASE_REPO }}:${release_tag}" + quay_certified_image_url="${{ env.QUAY_RELEASE_REPO }}:${certified_tag}" + + echo "promoted_tag=${promoted_tag}" >> "$GITHUB_OUTPUT" + echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT" + echo "certified_tag=${certified_tag}" >> "$GITHUB_OUTPUT" + echo "docker_image_url=${docker_image_url}" >> "$GITHUB_OUTPUT" + echo "quay_image_url=${quay_image_url}" >> "$GITHUB_OUTPUT" + echo "quay_certified_image_url=${quay_certified_image_url}" >> "$GITHUB_OUTPUT" + + # Move prerelease images to official release registries in Docker Hub and Quay + - name: Promote Docker prerelease image + run: devbox run -- ./scripts/move-image.sh + env: + IMAGE_SRC_REPO: ${{ env.DOCKER_PRERELEASE_REPO }} + IMAGE_DEST_REPO: ${{ env.DOCKER_RELEASE_REPO }} + IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} + IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }} + + - name: Promote Quay prerelease image + run: devbox run -- ./scripts/move-image.sh + env: + IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} + IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} + IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} + IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }} + + # Create Openshift certified images + - name: Create OpenShift certified image on Quay + run: devbox run -- ./scripts/move-image.sh + env: + IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} + IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} + IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} + IMAGE_DEST_TAG: ${{ steps.tags.outputs.certified_tag }} + + # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements + - name: Generate deployment configurations + uses: ./.github/actions/gen-install-scripts + with: + ENV: prod + IMAGE_URL: ${{ steps.tags.outputs.docker_image_url }} + + - name: Bump Helm chart version + run: devbox run -- ./scripts/bump-helm-chart-version.sh + + # Prepare SDLC requirement: signatures, sboms, compliance reports + # Note, signed images will live in mongodb/release and mongodb/signature repos + - name: Sign released images + run: | + devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}" + devbox run -- make sign IMG="${{ steps.tags.outputs.quay_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" + devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" + devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" + devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" + env: + PKCS11_URI: ${{ secrets.PKCS11_URI }} + GRS_USERNAME: ${{ secrets.GRS_USERNAME }} + GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} + + - name: Generate SBOMs + run: devbox run -- make generate-sboms + env: + RELEASED_OPERATOR_IMAGE: ${{ env.DOCKER_RELEASE_REPO }} + + - name: Generate SDLC report + run: devbox run -- make gen-sdlc-checklist + + # Create pr with all updates + - name: Create pull request for release changes + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ steps.generate_token.outputs.token }} + commit-message: "chore(release): updates from new release v${{ env.VERSION }}" + title: "Release v${{ env.VERSION }}" + body: | + This PR was automatically generated by the **release-image** workflow. + + Version: `${{ env.VERSION }}` + Authors: ${{ env.AUTHORS }} + base: main + branch: "new-release/${{ env.VERSION }}" # This should avoid for now running all tests till we fix cloud-test-filter.yml + delete-branch: true + draft: true + + # Create release assets on GitHub + - name: Create configuration package + run: | + devbox run -- 'set -x' + devbox run -- 'tar czvf atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz -C deploy all-in-one.yaml' + + - name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + with: + tag_name: ${{ env.VERSION }} + release_name: ${{ env.VERSION }} + body_path: docs/release-notes/release-notes-template.md + draft: true + prerelease: false + + - name: Upload Release Asset + id: upload-release-asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ./atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz + asset_name: atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz + asset_content_type: application/tgz diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 545466e932..dd0852335e 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -63,170 +63,3 @@ jobs: tags: ${{ steps.set_image_url.outputs.image_url }} platforms: linux/amd64,linux/arm64 push_to_docker: false - - e2e: - needs: [prepare-e2e] - runs-on: ubuntu-latest - environment: test - strategy: - fail-fast: false - matrix: - k8s: ${{ fromJson(needs.prepare-e2e.outputs.test_matrix) }} - test: - [ - "alert-config", - "auditing", - "cloud-access-role", - "deployment-annotations-ns", - "deployment-ns", - "users", - "users-oidc", - "deployment-wide", - "encryption-at-rest", - "free-tier", - "global-deployment", - "integration-ns", - "long-run", - "multinamespaced", - "networkpeering", - "privatelink", - "private-endpoint", - "project-settings", - "x509auth", - "custom-roles", - "teams", - "backup-config", - "datafederation", - "atlas-search-nodes", - "atlas-search-index", - "cache-watch", - "reconcile-all", - "reconcile-one", - "reconcile-two", - "backup-compliance", - "flex", - "ip-access-list", - "dry-run", - "networkcontainer-controller", - "networkpeering-controller", - ] - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha || github.sha }} - - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.13.0 - with: - enable-cache: 'true' - - - name: Generate kustomized all-in-one install configs - uses: ./.github/actions/gen-install-scripts - with: - ENV: dev - VERSION: dev - - - name: Extract k8s version/platform - id: extract - run: | - echo "k8s_version=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $1}')" >> $GITHUB_OUTPUT - echo "k8s_platform=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $2}')" >> $GITHUB_OUTPUT - - - name: Setup kind cluster - if: ${{ steps.extract.outputs.k8s_platform == 'kind' }} - uses: helm/kind-action@v1.12.0 - with: - version: v0.26.0 - config: test/helper/e2e/config/kind.yaml - node_image: kindest/node:${{ steps.extract.outputs.k8s_version }} - cluster_name: ${{ matrix.test }}-${{ matrix.k8s }} - wait: 180s - - - name: Print Kubernetes version - run: devbox run -- kubectl version - - - name: Apply CRDs - run: devbox run -- kubectl apply -f deploy/crds - - - name: Run CI E2E tests - run: devbox run -- ./scripts/launch-ci-e2e.sh - env: - TEST_NAME: ${{ matrix.test }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_ACCOUNT_ARN_LIST: ${{ secrets.AWS_ACCOUNT_ARN_LIST }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - GCP_SA_CRED: ${{ secrets.GCP_SA_CRED }} - DATADOG_KEY: ${{ secrets.DATADOG_KEY }} - PAGER_DUTY_SERVICE_KEY: ${{ secrets.PAGER_DUTY_SERVICE_KEY }} - - - name: Upload logs on failure - if: ${{ failure() }} - uses: actions/upload-artifact@v4 - with: - name: logs - path: output/** - - helm-e2e: - needs: [prepare-e2e, prepare-e2e-image] - runs-on: ubuntu-latest - environment: test - strategy: - fail-fast: false - matrix: - k8s: ${{ fromJson(needs.prepare-e2e.outputs.test_matrix) }} - test: ["helm-ns", "helm-update", "helm-wide"] - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha || github.sha }} - - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.13.0 - with: - enable-cache: 'true' - - - name: Generate kustomized all-in-one install configs with helm-based image - uses: ./.github/actions/gen-install-scripts - with: - ENV: dev - VERSION: dev - IMAGE_URL: ${{ needs.prepare-e2e-image.outputs.image_url }} - - - name: Extract k8s version/platform - id: extract - run: | - echo "k8s_version=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $1}')" >> $GITHUB_OUTPUT - echo "k8s_platform=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $2}')" >> $GITHUB_OUTPUT - - - name: Setup kind cluster - if: ${{ steps.extract.outputs.k8s_platform == 'kind' }} - uses: helm/kind-action@v1.12.0 - with: - version: v0.26.0 - config: test/helper/e2e/config/kind.yaml - node_image: kindest/node:${{ steps.extract.outputs.k8s_version }} - cluster_name: ${{ matrix.test }}-${{ matrix.k8s }} - wait: 180s - - - name: Print Kubernetes version - run: devbox run -- kubectl version - - - name: Run CI helm-E2E test with prepared image - run: devbox run -- ./scripts/launch-ci-e2e.sh - env: - TEST_NAME: ${{ matrix.test }} - IMAGE_PULL_SECRET_REGISTRY: ghcr.io - IMAGE_URL: ${{ needs.prepare-e2e-image.outputs.image_url }} - IMAGE_PULL_SECRET_USERNAME: ${{ github.actor }} - IMAGE_PULL_SECRET_PASSWORD: "${{ secrets.GITHUB_TOKEN }}" - - - name: Upload logs on failure - if: ${{ failure() }} - uses: actions/upload-artifact@v4 - with: - name: logs - path: output/** diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c66a83b19c..40085137ba 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,54 +35,14 @@ jobs: - name: allowed message run: echo "Allowed to run tests" - lint: - needs: - - run-tests - uses: ./.github/workflows/lint.yaml - - validate-manifests: - needs: - - run-tests - uses: ./.github/workflows/validate-manifests.yml - - unit-tests: - needs: - - run-tests - uses: ./.github/workflows/test-unit.yml - secrets: inherit - - license-header-check: - needs: - - run-tests - uses: ./.github/workflows/license-header-check.yml - - check-licenses: - needs: - - run-tests - uses: ./.github/workflows/check-licenses.yml - cloud-tests-filter: if: github.event.pull_request.head.repo.fork == false needs: - run-tests uses: ./.github/workflows/cloud-tests-filter.yml - e2e2: - needs: - - lint - - unit-tests - - validate-manifests - - check-licenses - - cloud-tests-filter - uses: ./.github/workflows/tests-e2e2.yaml - secrets: inherit - cloud-tests: needs: - - lint - - unit-tests - - validate-manifests - - check-licenses - cloud-tests-filter if: | github.event_name == 'merge_group' || needs.cloud-tests-filter.outputs.run-cloud-tests == 'true' diff --git a/scripts/move-image.sh b/scripts/move-image.sh index 691dc55cf0..5aef05c054 100755 --- a/scripts/move-image.sh +++ b/scripts/move-image.sh @@ -2,7 +2,7 @@ # Copyright 2025 MongoDB Inc # # Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. +# You may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# This scripts moves an image from a registry to another with retagging +# This script moves a multi-arch image from one registry to another using docker buildx. set -euo pipefail @@ -26,12 +26,20 @@ set -euo pipefail image_src_url="${IMAGE_SRC_REPO}:${IMAGE_SRC_TAG}" image_dest_url="${IMAGE_DEST_REPO}:${IMAGE_DEST_TAG}" -echo "Checking if ${image_dest_url} already exists..." +echo "Checking if ${image_dest_url} already exists remotely..." if docker manifest inspect "${image_dest_url}" > /dev/null 2>&1; then - echo "${image_dest_url} already exists. Skipping push." -else - echo "Tagging ${image_src_url} -> ${image_dest_url}" - docker tag "${image_src_url}" "${image_dest_url}" - echo "Pushing to ${image_dest_url}..." - docker push "${image_dest_url}" + echo "Image ${image_dest_url} already exists. Skipping transfer." + exit 0 fi + +echo "Transferring multi-arch image:" +echo " From: ${image_src_url}" +echo " To: ${image_dest_url}" + +BUILDER_NAME="tmpbuilder-move-image" + +echo "Creating temporary buildx builder..." +docker buildx create --name "${BUILDER_NAME}" --use > /dev/null +docker buildx imagetools create "${image_src_url}" --tag "${image_dest_url}" +docker buildx rm "${BUILDER_NAME}" > /dev/null +echo "Successfully moved ${image_src_url} -> ${image_dest_url}" From 121c569033b16f722aac60602b293894f12e394c Mon Sep 17 00:00:00 2001 From: andrpac Date: Mon, 14 Jul 2025 12:47:20 +0100 Subject: [PATCH 4/6] feat: releases --- .github/workflows/release-image.yml | 202 +++++++++++++--------------- 1 file changed, 94 insertions(+), 108 deletions(-) diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml index cb9b89d3e6..57c41b580b 100644 --- a/.github/workflows/release-image.yml +++ b/.github/workflows/release-image.yml @@ -16,6 +16,7 @@ on: required: false default: "latest" type: string + push: branches: - '**' @@ -25,14 +26,45 @@ permissions: pull-requests: write jobs: - release-image: + resolve_commit_sha: + name: Resolve Commit SHA + runs-on: ubuntu-latest + env: + COMMIT_SHA: latest # for testing; replace with "${{ inputs.commit_sha }}" later + outputs: + sha: ${{ steps.resolve.outputs.sha }} + steps: + - name: Checkout repo to access refs + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Resolve commit to check out + id: resolve + run: | + if [ "${{ env.COMMIT_SHA }}" = "latest" ]; then + branch="${GITHUB_REF#refs/heads/}" + echo "Resolving latest commit on branch: $branch" + git fetch origin "$branch" + sha=$(git rev-parse origin/"$branch") + else + echo "Using specified commit SHA: ${{ env.COMMIT_SHA }}" + sha="${{ env.COMMIT_SHA }}" + git fetch origin "$sha" + fi + + echo "Resolved commit SHA: $sha" + echo "sha=$sha" >> "$GITHUB_OUTPUT" + + prepare_release: + name: Release Image + needs: resolve_commit_sha runs-on: ubuntu-latest environment: release env: - VERSION: test-0.0.1 + VERSION: test-0.0.0 AUTHORS: andrei.pacurar@mongodb.com - COMMIT_SHA: 99511c - + COMMIT_SHA: ${{ needs.resolve_commit_sha.outputs.sha }} DOCKER_RELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator DOCKER_PRERELEASE_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease DOCKER_SIGNATURE_REPO: docker.io/andrpac/signatures @@ -40,10 +72,11 @@ jobs: QUAY_PRERELEASE_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease steps: - - name: Checkout code + - name: Checkout resolved commit uses: actions/checkout@v4 with: fetch-depth: 0 + ref: ${{ env.COMMIT_SHA }} - name: Generate GitHub App Token id: generate_token @@ -51,8 +84,7 @@ jobs: with: app-id: ${{ secrets.AKO_RELEASER_APP_ID }} private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }} - - # Login in into all registries + - name: Log in to Docker registry uses: docker/login-action@v3 with: @@ -74,28 +106,18 @@ jobs: username: ${{ secrets.MDB_ARTIFACTORY_USERNAME }} password: ${{ secrets.MDB_ARTIFACTORY_PASSWORD }} - - name: Install devbox - uses: jetify-com/devbox-install-action@v0.13.0 - - name: Resolve commit SHA and tags id: tags run: | - if [ "${{ env.COMMIT_SHA }}" = "latest" ]; then - git fetch origin main - sha=$(git rev-parse origin/main) - else - sha="${{ env.COMMIT_SHA }}" - fi - - short_sha="${sha:0:6}" + short_sha="${COMMIT_SHA:0:6}" promoted_tag="promoted-${short_sha}" - release_tag="${{ env.VERSION }}" + release_tag="${VERSION}" certified_tag="certified-${release_tag}" + docker_image_url="${DOCKER_RELEASE_REPO}:${release_tag}" + quay_image_url="${QUAY_RELEASE_REPO}:${release_tag}" + quay_certified_image_url="${QUAY_RELEASE_REPO}:${certified_tag}" - docker_image_url="${{ env.DOCKER_RELEASE_REPO }}:${release_tag}" - quay_image_url="${{ env.QUAY_RELEASE_REPO }}:${release_tag}" - quay_certified_image_url="${{ env.QUAY_RELEASE_REPO }}:${certified_tag}" - + echo "sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT" echo "promoted_tag=${promoted_tag}" >> "$GITHUB_OUTPUT" echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT" echo "certified_tag=${certified_tag}" >> "$GITHUB_OUTPUT" @@ -103,106 +125,70 @@ jobs: echo "quay_image_url=${quay_image_url}" >> "$GITHUB_OUTPUT" echo "quay_certified_image_url=${quay_certified_image_url}" >> "$GITHUB_OUTPUT" - # Move prerelease images to official release registries in Docker Hub and Quay - - name: Promote Docker prerelease image - run: devbox run -- ./scripts/move-image.sh - env: - IMAGE_SRC_REPO: ${{ env.DOCKER_PRERELEASE_REPO }} - IMAGE_DEST_REPO: ${{ env.DOCKER_RELEASE_REPO }} - IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} - IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }} - - - name: Promote Quay prerelease image - run: devbox run -- ./scripts/move-image.sh - env: - IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} - IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} - IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} - IMAGE_DEST_TAG: ${{ steps.tags.outputs.release_tag }} - - # Create Openshift certified images - - name: Create OpenShift certified image on Quay - run: devbox run -- ./scripts/move-image.sh - env: - IMAGE_SRC_REPO: ${{ env.QUAY_PRERELEASE_REPO }} - IMAGE_DEST_REPO: ${{ env.QUAY_RELEASE_REPO }} - IMAGE_SRC_TAG: ${{ steps.tags.outputs.promoted_tag }} - IMAGE_DEST_TAG: ${{ steps.tags.outputs.certified_tag }} - - # Link updates to pr: all-in-one.yml, helm-updates, sdlc requirements - name: Generate deployment configurations uses: ./.github/actions/gen-install-scripts with: ENV: prod IMAGE_URL: ${{ steps.tags.outputs.docker_image_url }} - - name: Bump Helm chart version - run: devbox run -- ./scripts/bump-helm-chart-version.sh + - name: Generate SDLC checklist files for released version + run: make gen-sdlc-checklist - # Prepare SDLC requirement: signatures, sboms, compliance reports - # Note, signed images will live in mongodb/release and mongodb/signature repos - - name: Sign released images - run: | - devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_RELEASE_REPO }}" - devbox run -- make sign IMG="${{ steps.tags.outputs.quay_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" - devbox run -- make sign IMG="${{ steps.tags.outputs.docker_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" - devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.QUAY_RELEASE_REPO }}" - devbox run -- make sign IMG="${{ steps.tags.outputs.quay_certified_image_url }}" SIGNATURE_REPO="${{ env.DOCKER_SIGNATURE_REPO }}" + - name: Create release branch with updates, tag new updates + id: generate_branch env: - PKCS11_URI: ${{ secrets.PKCS11_URI }} - GRS_USERNAME: ${{ secrets.GRS_USERNAME }} - GRS_PASSWORD: ${{ secrets.GRS_PASSWORD }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + run: | + git config --global user.name "${{ steps.generate_token.outputs.user-name }}" + git config --global user.email "${{ steps.generate_token.outputs.user-email }}" - - name: Generate SBOMs - run: devbox run -- make generate-sboms - env: - RELEASED_OPERATOR_IMAGE: ${{ env.DOCKER_RELEASE_REPO }} + export BRANCH="new-release/${VERSION}" + export COMMIT_MESSAGE="Release ${VERSION}" + + git checkout -b "$BRANCH" + git add -f ./deploy ./bundle bundle.Dockerfile docs/releases + scripts/create-signed-commit.sh - - name: Generate SDLC report - run: devbox run -- make gen-sdlc-checklist + gh pr create --head="$BRANCH" \ + --title "$COMMIT_MESSAGE" \ + --body "This is an autogenerated PR to prepare for the release" - # Create pr with all updates - - name: Create pull request for release changes - uses: peter-evans/create-pull-request@v6 + echo "release_ref=$BRANCH" >> "$GITHUB_OUTPUT" + + publish_release: + name: Build & Publish Release + needs: prepare_release + runs-on: ubuntu-latest + environment: release + env: + VERSION: test-0.0.0 + RELEASE_REF: ${{ needs.prepare_release.outputs.release_ref }} + steps: + - name: Generate GitHub App Token + id: token2 + uses: mongodb/apix-action/token@v8 with: - token: ${{ steps.generate_token.outputs.token }} - commit-message: "chore(release): updates from new release v${{ env.VERSION }}" - title: "Release v${{ env.VERSION }}" - body: | - This PR was automatically generated by the **release-image** workflow. - - Version: `${{ env.VERSION }}` - Authors: ${{ env.AUTHORS }} - base: main - branch: "new-release/${{ env.VERSION }}" # This should avoid for now running all tests till we fix cloud-test-filter.yml - delete-branch: true - draft: true - - # Create release assets on GitHub + app-id: ${{ secrets.AKO_RELEASER_APP_ID }} + private-key: ${{ secrets.AKO_RELEASER_RSA_KEY }} + + - name: Checkout the release commit + uses: actions/checkout@v4 + with: + ref: ${{ env.RELEASE_REF }} + fetch-depth: 0 + - name: Create configuration package run: | - devbox run -- 'set -x' - devbox run -- 'tar czvf atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz -C deploy all-in-one.yaml' + tar czvf atlas-operator-all-in-one-${VERSION}.tar.gz -C deploy all-in-one.yaml - - name: Create Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + - name: Create GitHub Release and Upload Asset + uses: softprops/action-gh-release@v1 with: tag_name: ${{ env.VERSION }} - release_name: ${{ env.VERSION }} - body_path: docs/release-notes/release-notes-template.md - draft: true + name: ${{ env.VERSION }} + token: ${{ steps.token2.outputs.token }} + files: ./atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz + target_commitish: ${{ env.RELEASE_REF }} + generate_release_notes: true prerelease: false - - - name: Upload Release Asset - id: upload-release-asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz - asset_name: atlas-operator-all-in-one-${{ env.VERSION }}.tar.gz - asset_content_type: application/tgz + draft: true \ No newline at end of file From 636904e8b28779daa86ddeaa80494e740c6784a4 Mon Sep 17 00:00:00 2001 From: "ako-releaser[bot]" <151840681+ako-releaser[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 22:14:09 +0000 Subject: [PATCH 5/6] Release test-0.0.0 --- .../atlas.mongodb.com_atlasdeployments.yaml | 6 +++ ...tlas-kubernetes.clusterserviceversion.yaml | 12 ++--- config/manager/kustomization.yaml | 4 +- deploy/all-in-one.yaml | 8 +++- deploy/clusterwide/clusterwide-config.yaml | 2 +- deploy/clusterwide/crds.yaml | 6 +++ .../atlas.mongodb.com_atlasdeployments.yaml | 6 +++ deploy/namespaced/crds.yaml | 6 +++ deploy/namespaced/namespaced-config.yaml | 2 +- deploy/openshift/crds.yaml | 6 +++ deploy/openshift/openshift.yaml | 2 +- docs/releases/vtest-0.0.0/sdlc-compliance.md | 45 +++++++++++++++++++ 12 files changed, 93 insertions(+), 12 deletions(-) create mode 100644 docs/releases/vtest-0.0.0/sdlc-compliance.md diff --git a/bundle/manifests/atlas.mongodb.com_atlasdeployments.yaml b/bundle/manifests/atlas.mongodb.com_atlasdeployments.yaml index ee50f4245f..b8a3bf8f0d 100644 --- a/bundle/manifests/atlas.mongodb.com_atlasdeployments.yaml +++ b/bundle/manifests/atlas.mongodb.com_atlasdeployments.yaml @@ -918,6 +918,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef diff --git a/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml b/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml index 8126cc78c0..ceb0493fdc 100644 --- a/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml +++ b/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml @@ -534,7 +534,7 @@ metadata: ] capabilities: Full Lifecycle categories: Database - createdAt: "2025-07-02T13:39:49Z" + createdAt: "2025-07-14T22:14:01Z" description: The MongoDB Atlas Kubernetes Operator enables easy management of Clusters in MongoDB Atlas features.operators.openshift.io/disconnected: "false" features.operators.openshift.io/fips-compliant: "false" @@ -547,12 +547,12 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/mongodb/mongodb-atlas-kubernetes support: support@mongodb.com - containerImage: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + containerImage: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 labels: operatorframework.io/arch.amd64: supported operatorframework.io/arch.arm64: supported operatorframework.io/os.linux: supported - name: mongodb-atlas-kubernetes.v2.9.1 + name: mongodb-atlas-kubernetes.v0.0.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -808,7 +808,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - image: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + image: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -892,5 +892,5 @@ spec: maturity: beta provider: name: MongoDB, Inc - version: 2.9.1 - replaces: mongodb-atlas-kubernetes.v2.9.0 + version: 0.0.0 + replaces: mongodb-atlas-kubernetes.v2.9.1 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 3fff207146..23b54fff59 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -7,5 +7,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller - newName: mongodb/mongodb-atlas-kubernetes-operator - newTag: 2.9.1 + newName: docker.io/andrpac/mongodb-atlas-kubernetes-operator + newTag: test-0.0.0 diff --git a/deploy/all-in-one.yaml b/deploy/all-in-one.yaml index a81f899ab6..9af5f6c507 100644 --- a/deploy/all-in-one.yaml +++ b/deploy/all-in-one.yaml @@ -2326,6 +2326,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef @@ -6874,7 +6880,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + image: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/deploy/clusterwide/clusterwide-config.yaml b/deploy/clusterwide/clusterwide-config.yaml index f02fdcccd8..9a6ddace33 100644 --- a/deploy/clusterwide/clusterwide-config.yaml +++ b/deploy/clusterwide/clusterwide-config.yaml @@ -228,7 +228,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + image: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/deploy/clusterwide/crds.yaml b/deploy/clusterwide/crds.yaml index 404619780f..4c5860910b 100644 --- a/deploy/clusterwide/crds.yaml +++ b/deploy/clusterwide/crds.yaml @@ -2289,6 +2289,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef diff --git a/deploy/crds/atlas.mongodb.com_atlasdeployments.yaml b/deploy/crds/atlas.mongodb.com_atlasdeployments.yaml index 4578e8b83a..d56acb0ebc 100644 --- a/deploy/crds/atlas.mongodb.com_atlasdeployments.yaml +++ b/deploy/crds/atlas.mongodb.com_atlasdeployments.yaml @@ -914,6 +914,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef diff --git a/deploy/namespaced/crds.yaml b/deploy/namespaced/crds.yaml index 404619780f..4c5860910b 100644 --- a/deploy/namespaced/crds.yaml +++ b/deploy/namespaced/crds.yaml @@ -2289,6 +2289,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef diff --git a/deploy/namespaced/namespaced-config.yaml b/deploy/namespaced/namespaced-config.yaml index 82ca7411af..20732a795d 100644 --- a/deploy/namespaced/namespaced-config.yaml +++ b/deploy/namespaced/namespaced-config.yaml @@ -230,7 +230,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + image: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/deploy/openshift/crds.yaml b/deploy/openshift/crds.yaml index 404619780f..4c5860910b 100644 --- a/deploy/openshift/crds.yaml +++ b/deploy/openshift/crds.yaml @@ -2289,6 +2289,12 @@ spec: - name - providerSettings type: object + upgradeToDedicated: + description: |2- + upgradeToDedicated, when set to true, triggers the migration from a Flex to a + Dedicated cluster. The user MUST provide the new dedicated cluster configuration. + This flag is ignored if the cluster is already dedicated. + type: boolean type: object x-kubernetes-validations: - message: must define only one project reference through externalProjectRef diff --git a/deploy/openshift/openshift.yaml b/deploy/openshift/openshift.yaml index 9cbef80ee0..4414fb714a 100644 --- a/deploy/openshift/openshift.yaml +++ b/deploy/openshift/openshift.yaml @@ -229,7 +229,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: mongodb/mongodb-atlas-kubernetes-operator:2.9.1 + image: docker.io/andrpac/mongodb-atlas-kubernetes-operator:test-0.0.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/docs/releases/vtest-0.0.0/sdlc-compliance.md b/docs/releases/vtest-0.0.0/sdlc-compliance.md new file mode 100644 index 0000000000..b384a5e3d0 --- /dev/null +++ b/docs/releases/vtest-0.0.0/sdlc-compliance.md @@ -0,0 +1,45 @@ +SSDLC Compliance Report: Atlas Kubernetes Operator Manager vtest-0.0.0 +================================================================= + +- Release Creators: andrei.pacurar@mongodb.com +- Created On: 2025-07-14 + +Overview: + +- **Product and Release Name** + + - Atlas Kubernetes Operator vtest-0.0.0, 2025-07-14. + +- **Process Document** + - http://go/how-we-develop-software-doc + +- **Tool used to track third party vulnerabilities** + - [Kondukto](https://arcticglow.kondukto.io/) + +- **Dependency Information** + - See SBOMS Lite manifests (CycloneDX in JSON format) for `Intel` and `ARM` are to be found [here](.) + - See [instructions on how the SBOMs are generated or how to generate them manually](../../dev/image-sboms.md) + +- **Static Analysis Report** + - No SAST findings. Our CI system blocks merges on any SAST findings. + - No vulnerabilities were ignored for this release. + +- **Release Signature Report** + - Image signatures enforced by CI pipeline. + - See [Signature verification instructions here](../../dev/signed-images.md) + - Self-verification shortcut: + ```shell + make verify IMG=mongodb/mongodb-atlas-kubernetes-operator:test-0.0.0 SIGNATURE_REPO=mongodb/signatures + ``` + +- **Security Testing Report** + - Available as needed from Cloud Security. + +- **Security Assessment Report** + - Available as needed from Cloud Security. + +Assumptions and attestations: + +- Internal processes are used to ensure CVEs are identified and mitigated within SLAs. + +- All Operator images are signed by MongoDB, with signatures stored at `docker.io/mongodb/signatures`. From a23d6a719bc60b7504d17f90eb833c6cf0a6e07e Mon Sep 17 00:00:00 2001 From: "ako-releaser[bot]" <151840681+ako-releaser[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 22:15:44 +0000 Subject: [PATCH 6/6] Release test-0.0.0 --- .../mongodb-atlas-kubernetes.clusterserviceversion.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml b/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml index ceb0493fdc..037dca7e77 100644 --- a/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml +++ b/bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml @@ -534,7 +534,7 @@ metadata: ] capabilities: Full Lifecycle categories: Database - createdAt: "2025-07-14T22:14:01Z" + createdAt: "2025-07-14T22:15:41Z" description: The MongoDB Atlas Kubernetes Operator enables easy management of Clusters in MongoDB Atlas features.operators.openshift.io/disconnected: "false" features.operators.openshift.io/fips-compliant: "false" @@ -893,4 +893,4 @@ spec: provider: name: MongoDB, Inc version: 0.0.0 - replaces: mongodb-atlas-kubernetes.v2.9.1 + replaces: mongodb-atlas-kubernetes.v0.0.0