CLOUDP-301995: use Silkbomb 2.0 (replaces Silk usage with Kondukto) (#4117)

# Summary

CLOUDP-301995

# Description
- make updates to use Silkbomb 2.0
  - assume IAM role to pull `KONDUKTO_TOKEN` from AWS Secrets Manager
- assumption is that `kondukto_role_arn` variable is set in the
Evergreen project with a value of
`arn:aws:iam::119629040606:role/kondukto`
- the concept of "asset groups" does not exist in Kondukto
  - SBOMs will not be uploaded to a Kondukto project's "branch"
- the existing naming scheme for "asset groups" will now be used to
determine the Kondukto "branch" to upload an SBOM to

## Proof of Work

- TODO (may need some assistance here)
  - Q: can I simply trigger the `release_agent` variant to test?

## Checklist
- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you checked for release_note changes?

Author: fetsko

.evergreen-functions.yml

@@ -7,8 +7,6 @@ variables:
       - GRS_USERNAME
       - OVERRIDE_VERSION_ID
       - PKCS11_URI
-      - SILK_CLIENT_ID
-      - SILK_CLIENT_SECRET
       - branch_name
       - build_id
       - build_variant
@@ -478,6 +476,22 @@ functions:
           # docker buildx needs the moby/buildkit image when setting up a builder so we pull it from our mirror
           docker buildx create --driver=docker-container --driver-opt=image=268558157000.dkr.ecr.eu-west-1.amazonaws.com/docker-hub-mirrors/moby/buildkit:buildx-stable-1 --use
           docker buildx inspect --bootstrap
+    - command: ec2.assume_role
+      display_name: Assume IAM role with permissions to pull Kondukto API token
+      params:
+        role_arn: ${kondukto_role_arn}
+    - command: shell.exec
+      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
+      params:
+        silent: true
+        shell: bash
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+        script: |
+          set -e
+          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
+          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+          # write the KONDUKTO_TOKEN environment variable to Silkbomb environment file
+          echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/silkbomb.env
     - command: subprocess.exec
       retry_on_failure: true
       type: setup

pipeline.py

@@ -433,6 +433,7 @@ def produce_sbom(build_configuration, args):
         elif args["platform"] == "amd64":
             platform = "linux/amd64"
         else:
+            # TODO: return here?
             logger.error(f"Unrecognized architectures in {args}. Skipping SBOM generation")
     else:
         platform = "linux/amd64"
@@ -981,7 +982,7 @@ def build_image_generic(
         )
         # Sleep for a random time between 0 and 5 seconds to distribute daily builds better,
         # as we do a lot of things there that require network connections like:
-        # - silk uploads, downloads
+        # - Kondukto uploads, downloads
         # - image verification and signings
         # - manifest creations
         # - docker image pushes