Merge branch 'master' into DEVPROD-19870-part1

Author: anandsyncs

.evergreen-functions.yml

@@ -517,30 +517,14 @@ functions:
           # docker buildx needs the moby/buildkit image when setting up a builder so we pull it from our mirror
           docker buildx create --driver=docker-container --driver-opt=image=268558157000.dkr.ecr.eu-west-1.amazonaws.com/docker-hub-mirrors/moby/buildkit:buildx-stable-1 --use
           docker buildx inspect --bootstrap
-    - command: ec2.assume_role
-      display_name: Assume IAM role with permissions to pull Kondukto API token
-      params:
-        role_arn: ${kondukto_role_arn}
-    - command: shell.exec
-      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
-      params:
-        silent: true
-        shell: bash
-        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
-        script: |
-          set -e
-          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
-          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
-          # write the KONDUKTO_TOKEN environment variable to Silkbomb environment file
-          echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/silkbomb.env
     - command: subprocess.exec
       retry_on_failure: true
       type: setup
       params:
         shell: bash
         <<: *e2e_include_expansions_in_env
         working_dir: src/github.com/mongodb/mongodb-kubernetes
-        binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py --parallel ${image_name}
+        binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py --parallel ${image_name} ${all_agents}
 
   # TODO: CLOUDP-335471 ; once all image builds are made with the new atomic pipeline, remove the following function
   legacy_pipeline:

.evergreen.yml

@@ -61,14 +61,14 @@ variables:
         variant: init_test_run
       - name: build_test_image
         variant: init_test_run
-      - name: build_agent_images_ubi
-        variant: init_test_run
       - name: build_readiness_probe_image
         variant: init_test_run
       - name: build_upgrade_hook_image
         variant: init_test_run
       - name: build_mco_test_image
         variant: init_test_run
+      - name: build_agent_images_ubi
+        variant: init_test_run
 
   - &setup_group
     setup_group_can_fail_task: true
@@ -347,19 +347,6 @@ tasks:
           image_name: init-ops-manager
           include_tags: release
 
-  - name: release_agent_operator_release
-    tags: [ "image_release" ]
-    allowed_requesters: [ "patch", "github_tag" ]
-    commands:
-      - func: clone
-      - func: setup_building_host
-      - func: quay_login
-      - func: setup_docker_sbom
-      - func: legacy_pipeline
-        vars:
-          image_name: agent
-          include_tags: release
-
   # pct only triggers this variant once a new agent image is out
   - name: release_agent
     # this enables us to run this variant either manually (patch) which pct does or during an OM bump (github_pr)
@@ -371,8 +358,7 @@ tasks:
       - func: setup_docker_sbom
       - func: legacy_pipeline
         vars:
-          image_name: agent-pct
-          include_tags: release
+          image_name: agent
 
   - name: run_precommit_and_push
     tags: ["patch-run"]
@@ -392,48 +378,17 @@ tasks:
           working_dir: src/github.com/mongodb/mongodb-kubernetes
           binary: scripts/evergreen/precommit_bump.sh
 
-  # Pct only triggers this variant once a new agent image is out
-  # these releases the agent with the operator suffix (not patch id) on ecr to allow for digest pinning to pass.
-  # For this to work, we rely on skip_tags which is used to determine whether
-  # we want to release on quay or not, in this case - ecr instead.
-  # We rely on the init_database from ecr for the agent x operator images.
-  # This runs on agent releases that are not concurrent with operator releases.
-  - name: release_agents_on_ecr_conditional
-    commands:
-      - func: clone
-      - func: run_task_conditionally
-        vars:
-          condition_script: scripts/evergreen/should_release_agents_on_ecr.sh
-          variant: init_release_agents_on_ecr
-          task: release_agents_on_ecr
-
-  - name: release_agents_on_ecr
-    # this enables us to run this variant either manually (patch) which pct does or during an OM bump (github_pr)
-    allowed_requesters: [ "patch", "github_pr" ]
-    priority: 70
-    commands:
-      - func: clone
-      - func: setup_building_host
-      - func: legacy_pipeline
-        vars:
-          image_name: agent-pct
-          skip_tags: release
-
   - name: release_all_agents_on_ecr
-    # this enables us to run this manually (patch) and release all agent versions to ECR
-    # it's needed during operator new version release process - e2e tests (especially olm tests)
-    # will look for agent with new operator version suffix, but during PR checks we only build
-    # agent versions for most recent major OM versions and the tests will fail. Before running the PR
-    # we have to manually release all agents to ECR by triggering this patch
+    # this enables us to run this manually (patch) and release all agent versions to ECR to verify
+    # Dockerfile, script changes etc.
     allowed_requesters: [ "patch" ]
     commands:
       - func: clone
       - func: setup_building_host
-      - func: legacy_pipeline
+      - func: pipeline
         vars:
-          image_name: agent-pct
-          skip_tags: release
-          all_agents: true
+          image_name: agent
+          all_agents: "--all-agents"
 
   - name: build_test_image
     commands:
@@ -1334,8 +1289,7 @@ buildvariants:
         variant: init_test_run
       - name: build_init_database_image_ubi
         variant: init_test_run
-      - name: build_agent_images_ubi
-        variant: init_test_run
+
     tasks:
       - name: e2e_custom_domain_task_group
 
@@ -1369,8 +1323,7 @@ buildvariants:
         variant: init_test_run
       - name: build_init_database_image_ubi
         variant: init_test_run
-      - name: build_agent_images_ubi
-        variant: init_test_run
+
     run_on:
       - ubuntu2204-small
     tasks:
@@ -1594,6 +1547,8 @@ buildvariants:
         variant: init_test_run
       - name: prepare_and_upload_openshift_bundles_for_e2e
         variant: init_tests_with_olm
+      - name: build_agent_images_ubi
+        variant: init_test_run
     tasks:
       - name: e2e_kind_olm_group
 
@@ -1619,6 +1574,7 @@ buildvariants:
         variant: init_test_run
       - name: build_agent_images_ubi
         variant: init_test_run
+
     tasks:
       - name: e2e_kind_olm_group
 
@@ -1683,18 +1639,6 @@ buildvariants:
       - name: build_upgrade_hook_image
       - name: prepare_aws
 
-  - name: init_release_agents_on_ecr
-    display_name: init_release_agents_on_ecr
-    # this enables us to run this variant either manually (patch) which pct does or during an OM bump (github_pr)
-    allowed_requesters: [ "patch", "github_pr" ]
-    tags: [ "release_agents_on_ecr" ]
-    # We want that to run first and finish asap. Digest pinning depends on this to succeed.
-    priority: 70
-    run_on:
-      - ubuntu2204-large
-    tasks:
-      - name: release_agents_on_ecr_conditional
-
   - name: run_pre_commit
     priority: 70
     display_name: run_pre_commit
@@ -1722,8 +1666,7 @@ buildvariants:
         variant: init_test_run
       - name: build_init_om_images_ubi
         variant: init_test_run
-      - name: build_agent_images_ubi
-        variant: init_test_run
+
     run_on:
       - ubuntu2204-small
     tasks:
@@ -1809,13 +1752,6 @@ buildvariants:
       - name: release_init_database
       - name: release_init_ops_manager
       - name: release_database
-      # Once we release the operator, we will also release the init databases, we require them to be out first
-      # such that we can reference them and retrieve those binaries.
-      # Since we immediately run daily rebuild after creating the image, we can ensure that the init_database is out
-      # such that the agent image build can use it.
-      - name: release_agent_operator_release
-        depends_on:
-          - name: release_init_database
 
   - name: preflight_release_images
     display_name: preflight_release_images
@@ -1847,13 +1783,13 @@ buildvariants:
 
     # It will be called by pct while bumping the agent cloud manager image
   - name: release_agent
-    display_name: (Static Containers) Release Agent matrix
+    display_name: release_agent
     tags: [ "release_agent" ]
     run_on:
       - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
-      - variant: init_release_agents_on_ecr
-        name: '*'
+      - variant: init_test_run
+        name: build_agent_images_ubi # this ensures the agent gets released to ECR as well
       - variant: e2e_multi_cluster_kind
         name: '*'
       - variant: e2e_static_multi_cluster_2_clusters

.githooks/pre-commit

@@ -117,9 +117,9 @@ function update_release_json() {
 }
 
 function regenerate_public_rbac_multi_cluster() {
-    if echo "$git_last_changed" | grep -q 'public/tools/multicluster'; then
+    if echo "$git_last_changed" | grep -q -e 'cmd/kubectl-mongodb' -e 'pkg/kubectl-mongodb'; then
       echo 'regenerating multicluster RBAC public example'
-      pushd public/tools/multicluster
+      pushd pkg/kubectl-mongodb/common/
       EXPORT_RBAC_SAMPLES="true" go test ./... -run TestPrintingOutRolesServiceAccountsAndRoleBindings
       popd
       git add public/samples/multi-cluster-cli-gitops

changelog/20250811_other_container_images_for_opsmanager_versions_7016_800.md

@@ -0,0 +1,7 @@
+---
+title: OpsManager container images not published due to a product bug
+kind: other
+date: 2025-08-11
+---
+
+* We have deliberately not published the container images for OpsManager versions `7.0.16`, `8.0.8`, `8.0.9` and `8.0.10` due to a bug in the OpsManager which prevents MCK customers to upgrade their OpsManager deployments to those versions.

config/manager/manager.yaml

@@ -162,8 +162,8 @@ spec:
               value: "quay.io/mongodb/mongodb-agent-ubi:12.0.34.7888-1"
             - name: RELATED_IMAGE_AGENT_IMAGE_12_0_35_7911_1
               value: "quay.io/mongodb/mongodb-agent-ubi:12.0.35.7911-1"
-            - name: RELATED_IMAGE_AGENT_IMAGE_13_37_0_9590_1
-              value: "quay.io/mongodb/mongodb-agent-ubi:13.37.0.9590-1"
+            - name: RELATED_IMAGE_AGENT_IMAGE_13_38_0_9654_1
+              value: "quay.io/mongodb/mongodb-agent-ubi:13.38.0.9654-1"
             - name: RELATED_IMAGE_OPS_MANAGER_IMAGE_REPOSITORY_6_0_26
               value: "quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:6.0.26"
             - name: RELATED_IMAGE_OPS_MANAGER_IMAGE_REPOSITORY_6_0_27

helm_chart/values-openshift.yaml

@@ -115,7 +115,7 @@ relatedImages:
   - 108.0.7.8810-1
   - 12.0.34.7888-1
   - 12.0.35.7911-1
-  - 13.37.0.9590-1
+  - 13.38.0.9654-1
   mongodbLegacyAppDb:
   - 4.2.11-ent
   - 4.2.2-ent

inventories/agent.yaml

@@ -3,7 +3,7 @@ vars:
   s3_bucket: s3://enterprise-operator-dockerfiles/dockerfiles/mongodb-agent
 
 images:
-  - name: mongodb-agent-ubi
+  - name: mongodb-agent
     vars:
       context: .
       template_context: docker/mongodb-agent

lib/sonar/template.py

@@ -13,7 +13,7 @@ def render(path: str, template_name: str, parameters: Dict[str, str]) -> str:
     """
     env = jinja2.Environment(loader=jinja2.FileSystemLoader(path), undefined=jinja2.StrictUndefined)
 
-    template = "Dockerfile"
+    template = "Dockerfile.old"
     if template_name is not None:
         template = "Dockerfile.{}".format(template_name)