Merge branch 'master' into search/public-preview

Author: anandsyncs

.evergreen-periodic-builds.yaml

@@ -162,7 +162,7 @@ buildvariants:
     display_name: periodic_build
     tags: [ "periodic_build" ]
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     tasks:
       - name: periodic_build_task_group
 

.evergreen.yml

@@ -610,6 +610,46 @@ tasks:
           variant: prepare_openshift_bundles
           task: prepare_and_upload_openshift_bundles
 
+  - name: backup_csv_images_dry_run
+    commands:
+      - func: clone
+      - func: quay_login
+      - command: subprocess.exec
+        params:
+          working_dir: src/github.com/mongodb/mongodb-kubernetes
+          binary: python3
+          args:
+            - scripts/dev/release/backup_csv_images.py
+            - scripts/dev/release/1.2.0.clusterserviceversion.yaml
+            - --dry-run
+            - --verbose
+  - name: backup_csv_images_limit_3
+    commands:
+      - func: clone
+      - func: quay_login
+      - command: subprocess.exec
+        params:
+          working_dir: src/github.com/mongodb/mongodb-kubernetes
+          binary: python3
+          args:
+            - scripts/dev/release/backup_csv_images.py
+            - scripts/dev/release/1.2.0.clusterserviceversion.yaml
+            - --limit
+            - "3"
+            - --verbose
+  - name: backup_csv_images_all
+    commands:
+      - func: clone
+      - func: quay_login
+      - command: subprocess.exec
+        params:
+          working_dir: src/github.com/mongodb/mongodb-kubernetes
+          binary: python3
+          args:
+            - scripts/dev/release/backup_csv_images.py
+            - scripts/dev/release/1.2.0.clusterserviceversion.yaml
+            - --verbose
+
 task_groups:
   - name: unit_task_group
     max_hosts: -1
@@ -1206,7 +1246,6 @@ task_groups:
     <<: *teardown_group
 
 buildvariants:
-
   ## Unit tests + lint build variant
 
   - name: unit_tests
@@ -1736,7 +1775,7 @@ buildvariants:
     allowed_requesters: [ "patch", "github_tag" ]
     max_hosts: -1
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
       - name: build_operator_ubi
         variant: init_test_run
@@ -1795,7 +1834,7 @@ buildvariants:
     display_name: (Static Containers) Release Agent matrix
     tags: [ "release_agent" ]
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
       - variant: init_release_agents_on_ecr
         name: '*'
@@ -1881,11 +1920,21 @@ buildvariants:
 
   ### Build variants for manual patch only
 
+  - name: backup_csv_images
+    display_name: "Backup CSV Images"
+    allowed_requesters: [ "patch" ]
+    run_on:
+      - ubuntu2204-small
+    tasks:
+      - name: backup_csv_images_dry_run
+      - name: backup_csv_images_limit_3
+      - name: backup_csv_images_all
+
   - name: publish_om60_images
     display_name: publish_om60_images
     allowed_requesters: [ "patch", "github_pr" ]
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
       - variant: e2e_om60_kind_ubi
         name: '*'
@@ -1899,7 +1948,7 @@ buildvariants:
     display_name: publish_om70_images
     allowed_requesters: [ "patch", "github_pr" ]
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
       - variant: e2e_om70_kind_ubi
         name: '*'
@@ -1913,7 +1962,7 @@ buildvariants:
     display_name: publish_om80_images
     allowed_requesters: [ "patch", "github_pr" ]
     run_on:
-      - ubuntu2204-large
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
     depends_on:
       - variant: e2e_om80_kind_ubi
         name: '*'

config/rbac/operator-roles.yaml

@@ -13,7 +13,6 @@ rules:
       - clustermongodbroles
 ---
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
----
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

helm_chart/templates/operator-roles.yaml

@@ -142,9 +142,9 @@ subjects:
     namespace: {{ include "mongodb-kubernetes-operator.namespace" $ }}
 {{- end }}
 
----
 
 {{- if .Values.operator.enableClusterMongoDBRoles }}
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -173,11 +173,11 @@ subjects:
 {{- end }}
 
 {{- end }}
----
 
 {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}}
 {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }}
 {{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "mongodb-kubernetes-operator-mongodb-webhook") }}
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -255,7 +255,6 @@ rules:
       - nodes
     verbs:
       - list
-{{- end}}
 ---
 # ClusterRoleBinding for clusterVersionDetection
 kind: ClusterRoleBinding
@@ -270,4 +269,5 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Values.operator.name }}
     namespace: {{ include "mongodb-kubernetes-operator.namespace" . }}
-{{- end }}
+  {{- end}}{{/* if ne $telemetry.installClusterRole false */}}
+{{- end }}{{/* if ne $telemetry.enabled false */}}

helm_chart/templates/operator-sa.yaml

@@ -9,15 +9,4 @@ metadata:
 imagePullSecrets:
   - name: {{ .Values.registry.imagePullSecrets }}
 {{- end }}
-
-{{- $watchNamespace := include "mongodb-kubernetes-operator.namespace" . | list }}
-{{- if .Values.operator.watchNamespace }}
-{{- $watchNamespace = regexSplit "," .Values.operator.watchNamespace -1 }}
-{{- $watchNamespace = concat $watchNamespace (include "mongodb-kubernetes-operator.namespace" . | list) | uniq }}
-{{- end }}
-
-{{- $roleScope := "Role" -}}
-{{- if or (gt (len $watchNamespace) 1) (eq (first $watchNamespace) "*") }}
-{{- $roleScope = "ClusterRole" }}
-{{- end }}
 {{- end }} {{/* if .Values.operator.createOperatorServiceAccount */}}

scripts/dev/contexts/e2e_multi_cluster_2_clusters

@@ -15,3 +15,10 @@ export test_pod_cluster=kind-e2e-cluster-1
 export TEST_POD_CLUSTER=kind-e2e-cluster-1
 export ops_manager_version="cloud_qa"
 
+# MCK is capable of deploying a webhook (optional).
+# To do so it needs know which pods to select for routing traffic
+# in the Service and operator name currently serves as a selector.
+# This value must be different for multi cluster setup,
+# but we can unify once we are done with unified operator
+# installation for both multicluster and single cluster setups.
+export OPERATOR_NAME="mongodb-kubernetes-operator-multi-cluster"

scripts/dev/contexts/e2e_multi_cluster_kind

@@ -15,3 +15,11 @@ export CENTRAL_CLUSTER=kind-e2e-operator
 export TEST_POD_CLUSTER=kind-e2e-cluster-1
 export test_pod_cluster=kind-e2e-cluster-1
 export ops_manager_version="cloud_qa"
+
+# MCK is capable of deploying a webhook (optional).
+# To do so it needs know which pods to select for routing traffic
+# in the Service and operator name currently serves as a selector.
+# This value must be different for multi cluster setup,
+# but we can unify once we are done with unified operator
+# installation for both multicluster and single cluster setups.
+export OPERATOR_NAME="mongodb-kubernetes-operator-multi-cluster"

scripts/dev/contexts/e2e_multi_cluster_om_appdb

@@ -20,3 +20,11 @@ export CENTRAL_CLUSTER=kind-e2e-cluster-1
 export TEST_POD_CLUSTER=kind-e2e-cluster-1
 export test_pod_cluster=kind-e2e-cluster-1
 export ops_manager_version="${CUSTOM_OM_VERSION}"
+
+# MCK is capable of deploying a webhook (optional).
+# To do so it needs know which pods to select for routing traffic
+# in the Service and operator name currently serves as a selector.
+# This value must be different for multi cluster setup,
+# but we can unify once we are done with unified operator
+# installation for both multicluster and single cluster setups.
+export OPERATOR_NAME="mongodb-kubernetes-operator-multi-cluster"

scripts/dev/contexts/e2e_multi_cluster_om_operator_not_in_mesh

@@ -15,3 +15,11 @@ export CENTRAL_CLUSTER=kind-e2e-operator
 export test_pod_cluster=kind-e2e-cluster-1
 export TEST_POD_CLUSTER=kind-e2e-cluster-1
 export ops_manager_version="${CUSTOM_OM_VERSION}"
+
+# MCK is capable of deploying a webhook (optional).
+# To do so it needs know which pods to select for routing traffic
+# in the Service and operator name currently serves as a selector.
+# This value must be different for multi cluster setup,
+# but we can unify once we are done with unified operator
+# installation for both multicluster and single cluster setups.
+export OPERATOR_NAME="mongodb-kubernetes-operator-multi-cluster"

scripts/dev/contexts/e2e_static_multi_cluster_2_clusters

@@ -16,3 +16,11 @@ export ops_manager_version="cloud_qa"
 
 export MDB_DEFAULT_ARCHITECTURE=static
 export CUSTOM_MDB_VERSION=6.0.5
+
+# MCK is capable of deploying a webhook (optional).
+# To do so it needs know which pods to select for routing traffic
+# in the Service and operator name currently serves as a selector.
+# This value must be different for multi cluster setup,
+# but we can unify once we are done with unified operator
+# installation for both multicluster and single cluster setups.
+export OPERATOR_NAME="mongodb-kubernetes-operator-multi-cluster"