CLOUDP-295785 - release tasks integration with atomic_pipeline.py

.evergreen-functions.yml

@@ -564,42 +564,18 @@ functions:
         working_dir: src/github.com/mongodb/mongodb-kubernetes
         binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py --parallel ${image_name} ${all_agents} ${build_scenario}
 
-  # TODO: CLOUDP-335471 ; once all image builds are made with the new atomic pipeline, remove the following function
-  legacy_pipeline:
+  release_pipeline:
     - *switch_context
-    - command: shell.exec
-      type: setup
-      params:
-        shell: bash
-        script: |
-          # Docker Hub workaround
-          # docker buildx needs the moby/buildkit image when setting up a builder so we pull it from our mirror
-          docker buildx create --driver=docker-container --driver-opt=image=268558157000.dkr.ecr.eu-west-1.amazonaws.com/docker-hub-mirrors/moby/buildkit:buildx-stable-1 --use
-          docker buildx inspect --bootstrap
-    - command: ec2.assume_role
-      display_name: Assume IAM role with permissions to pull Kondukto API token
-      params:
-        role_arn: ${kondukto_role_arn}
-    - command: shell.exec
-      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
-      params:
-        silent: true
-        shell: bash
-        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
-        script: |
-          set -e
-          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
-          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
-          # write the KONDUKTO_TOKEN environment variable to Silkbomb environment file
-          echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/silkbomb.env
     - command: subprocess.exec
       retry_on_failure: true
       type: setup
       params:
         shell: bash
         <<: *e2e_include_expansions_in_env
         working_dir: src/github.com/mongodb/mongodb-kubernetes
-        binary: scripts/dev/run_python.sh pipeline.py --include ${image_name} --parallel --sign
+        env:
+          git_tag: ${triggered_by_git_tag}
+        binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py ${image_name} --build-scenario release --version ${git_tag}
 
   teardown_cloud_qa_all:
     - *switch_context
@@ -845,3 +821,65 @@ functions:
           - task_name
         script: |
           ./scripts/code_snippets/${task_name}_test.sh
+
+  #
+  # kubectl mongodb plugin release functions
+  #
+  install_goreleaser:
+    - command: shell.exec
+      type: setup
+      include_expansions_in_env:
+        - goreleaser_pro_tar_gz
+      params:
+        script: |
+          set -Eeu pipefail
+          curl -fL "${goreleaser_pro_tar_gz}" --output goreleaser_Linux_x86_64.tar.gz
+          tar -xf goreleaser_Linux_x86_64.tar.gz
+          chmod 755 ./goreleaser
+
+  install_macos_notarization_service:
+    - command: shell.exec
+      type: setup
+      params:
+        include_expansions_in_env:
+          - notary_service_url
+        script: |
+          set -Eeu pipefail
+
+          curl "${notary_service_url}" --output macos-notary.zip
+          unzip -u macos-notary.zip
+          chmod 755 ./linux_amd64/macnotary
+
+  release_kubectl_mongodb_plugin:
+    - command: github.generate_token
+      params:
+        expansion_name: generated_token
+    - command: shell.exec
+      type: setup
+      params:
+        working_dir: src/github.com/mongodb/mongodb-kubernetes
+        include_expansions_in_env:
+          - GRS_USERNAME
+          - GRS_PASSWORD
+          - PKCS11_URI
+          - ARTIFACTORY_URL
+          - ARTIFACTORY_PASSWORD
+          - SIGNING_IMAGE_URI
+          - macos_notary_keyid
+          - macos_notary_secret
+          - workdir
+          - triggered_by_git_tag
+        env:
+          XDG_CONFIG_HOME: ${go_base_path}${workdir}
+          GO111MODULE: "on"
+          GOROOT: "/opt/golang/go1.24"
+          MACOS_NOTARY_KEY: ${macos_notary_keyid}
+          MACOS_NOTARY_SECRET: ${macos_notary_secret}
+          GORELEASER_CURRENT_TAG: ${triggered_by_git_tag}
+        # shell.exec EVG Task doesn't have add_to_path, so we need to explicitly add the path export below.
+        script: |
+          set -Eeu pipefail
+
+          export PATH=$GOROOT/bin:$PATH
+          export GITHUB_TOKEN=${generated_token}
+          ${workdir}/goreleaser release --clean

.evergreen-release.yml

@@ -0,0 +1,186 @@
+include:
+  - filename: .evergreen-functions.yml
+
+tasks:
+
+  - name: release_operator
+    tags: [ "image_release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_building_host
+      - func: quay_login
+      - func: release_pipeline
+        vars:
+          image_name: operator
+
+  # Releases init images to Quay
+  - name: release_init_appdb
+    tags: [ "image_release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_building_host
+      - func: quay_login
+      - func: release_pipeline
+        vars:
+          image_name: init-appdb
+
+  - name: release_init_database
+    tags: [ "image_release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_building_host
+      - func: quay_login
+      - func: release_pipeline
+        vars:
+          image_name: init-database
+
+  - name: release_init_ops_manager
+    tags: [ "image_release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_building_host
+      - func: quay_login
+      - func: release_pipeline
+        vars:
+          image_name: init-ops-manager
+
+  - name: release_database
+    tags: [ "image_release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_building_host
+      - func: quay_login
+      - func: release_pipeline
+        vars:
+          image_name: database
+
+  - name: prepare_and_upload_openshift_bundles
+    tags: [ "openshift_bundles" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: setup_aws
+      - func: configure_docker_auth
+      - func: setup_prepare_openshift_bundles
+      - func: prepare_openshift_bundles
+      - func: update_evergreen_expansions
+      - func: upload_openshift_bundle
+        vars:
+          # mongoDbOperator expansion is added in update_evergreen_expansions func from release.json
+          bundle_file_name: "mck-operator-certified-${mongodbOperator}.tgz"
+
+  - name: run_conditionally_prepare_and_upload_openshift_bundles
+    tags: [ "openshift_bundles" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    commands:
+      - func: clone
+      - func: run_task_conditionally
+        vars:
+          condition_script: scripts/evergreen/should_prepare_openshift_bundles.sh
+          variant: prepare_openshift_bundles
+          task: prepare_and_upload_openshift_bundles
+
+  - name: release_kubectl_mongodb_plugin
+    allowed_requesters: [ "patch", "github_tag" ]
+    tags: [ "binary_release" ]
+    commands:
+      - func: clone
+      - func: install_goreleaser
+      - func: install_macos_notarization_service
+      - func: release_kubectl_mongodb_plugin
+
+### Release build variants
+buildvariants:
+
+  - name: release_images
+    display_name: release_images
+    tags: [ "release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    max_hosts: -1
+    run_on:
+      - release-ubuntu2204-large # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
+    tasks:
+      - name: release_operator
+      - name: release_init_appdb
+      - name: release_init_database
+      - name: release_init_ops_manager
+      - name: release_database
+
+  - name: preflight_release_images
+    display_name: preflight_release_images
+    tags: [ "release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    depends_on:
+      - name: "*"
+        variant: release_images
+    run_on:
+      - rhel90-large
+    expansions:
+      preflight_submit: true
+    tasks:
+      - name: preflight_images_task_group
+
+  - name: prepare_openshift_bundles
+    display_name: prepare_openshift_bundles
+    tags: [ "release" ]
+    allowed_requesters: [ "patch", "github_tag" ]
+    depends_on:
+      - name: "*"
+        variant: release_images
+      - name: "*"
+        variant: preflight_release_images
+    run_on:
+      - ubuntu2204-large
+    tasks:
+      - name: run_conditionally_prepare_and_upload_openshift_bundles
+
+  - name: prerelease_gke_code_snippets
+    display_name: prerelease_gke_code_snippets
+    tags: [ "release" ]
+    allowed_requesters: ["patch", "github_tag"]
+    depends_on:
+      - variant: release_images
+        name: '*'
+        patch_optional: true
+    run_on:
+      - ubuntu2204-small
+    tasks:
+      - name: gke_code_snippets_task_group
+
+  - name: e2e_smoke
+    display_name: e2e_smoke
+    tags: [ "e2e_smoke_release_test_suite" ]
+    run_on:
+      - ubuntu2204-large
+    allowed_requesters: [ "patch", "github_tag" ]
+    depends_on:
+      - name: "*"
+        variant: release_images
+    tasks:
+      - name: e2e_smoke_task_group
+
+  - name: e2e_static_smoke
+    display_name: e2e_static_smoke
+    tags: [ "e2e_smoke_release_test_suite" ]
+    run_on:
+      - ubuntu2204-large
+    allowed_requesters: [ "patch", "github_tag" ]
+    depends_on:
+      - name: "*"
+        variant: release_images
+    tasks:
+      - name: e2e_smoke_task_group
+
+  - name: release_kubectl_mongodb_plugin
+    display_name: release_kubectl_mongodb_plugin
+    tags: [ "release" ]
+    run_on:
+      - release-ubuntu2204-small # This is required for CISA attestation https://jira.mongodb.org/browse/DEVPROD-17780
+    allowed_requesters: [ "patch", "github_tag" ]
+    tasks:
+      - name: release_kubectl_mongodb_plugin