Merge branch 'master' into e2e-tests-on-published-chart

Author: MaciejKaras

.evergreen-tasks.yml

@@ -1116,7 +1116,6 @@ tasks:
 
   - name: e2e_multi_cluster_validation
     tags: [ "patch-run" ]
-    exec_timeout_secs: 1000
     commands:
       - func: e2e_test
 

changelog/20251027_other_cosign_version_upgrade.md

@@ -0,0 +1,6 @@
+---
+kind: other
+date: 2025-10-27
+---
+
+* **kubectl-mongodb plugin**: `cosign`, the signing tool that is used to sign `kubectl-mongodb` plugin binaries, has been updated to version `3.0.2`. With this change, released binaries will be bundled with `.bundle` files containing both signature and certificate information. For more information on how to verify signatures using new `cosign` version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md

docker/mongodb-kubernetes-tests/tests/multicluster_appdb/multicluster_appdb_disaster_recovery.py

@@ -152,11 +152,12 @@ def test_delete_om_and_appdb_statefulset_in_failed_cluster(
         # delete OM to simulate losing Ops Manager application
         # this is only for testing unavailability of the OM application, it's not testing losing OM cluster
         # we don't delete here any additional resources (secrets, configmaps) that are required for a proper OM recovery testing
+        # it will be immediately recreated by the operator, so we cannot check if it was deleted
         delete_statefulset(
             ops_manager.namespace,
             ops_manager.name,
             propagation_policy="Background",
-            api_client=central_cluster_client,
+            api_client=get_member_cluster_api_client(OM_MEMBER_CLUSTER_NAME),
         )
     except kubernetes.client.ApiException as e:
         if e.status != 404:
@@ -184,14 +185,6 @@ def statefulset_is_deleted(namespace: str, name: str, api_client=Optional[kubern
             else:
                 raise e
 
-    run_periodically(
-        lambda: statefulset_is_deleted(
-            ops_manager.namespace,
-            ops_manager.name,
-            api_client=get_member_cluster_api_client(OM_MEMBER_CLUSTER_NAME),
-        ),
-        timeout=120,
-    )
     run_periodically(
         lambda: statefulset_is_deleted(
             ops_manager.namespace,

scripts/funcs/multicluster

@@ -128,26 +128,6 @@ EOF
   sleep 1
 
   local service_account_name="operator-tests-multi-cluster-service-account"
-
-  local secret_name
-  secret_name="$(kubectl --context "${CENTRAL_CLUSTER}" get secret -n "${NAMESPACE}" | { grep "${service_account_name}" || test $? = 1; } | awk '{ print $1 }')"
-  if [[ "${secret_name}" == "" ]]; then
-    secret_name="${service_account_name}-token-secret"
-    create_service_account_token_secret "${CENTRAL_CLUSTER}" "${service_account_name}" "${secret_name}"
-  fi
-
-  local central_cluster_token
-  central_cluster_token="$(kubectl --context "${CENTRAL_CLUSTER}" get secret "${secret_name}" -o jsonpath='{ .data.token}' -n "${NAMESPACE}" | base64 -d)"
-  echo "Creating Multi Cluster configuration secret"
-
-  configuration_params=(
-    "--from-literal=central_cluster=${CENTRAL_CLUSTER}"
-  )
-
-  configuration_params+=(
-    "--from-literal=${CENTRAL_CLUSTER}=${central_cluster_token}"
-  )
-
   local secret_name
   secret_name="$(kubectl --context "${CENTRAL_CLUSTER}" get secret -n "${NAMESPACE}" | { grep "${service_account_name}" || test $? = 1; } | awk '{ print $1 }')"
   if [[ "${secret_name}" == "" ]]; then
@@ -175,7 +155,18 @@ EOF
       create_service_account_token_secret "${member_cluster}" "${service_account_name}" "${secret_name}"
     fi
 
-    member_cluster_token="$(kubectl --context "${member_cluster}" get secret "${secret_name}" -o jsonpath='{ .data.token}' -n "${NAMESPACE}" | base64 -d)"
+    # Retry up to 10 times if .data.token is not yet populated
+    for _ in {1..10}; do
+      member_cluster_token="$(kubectl --context "${member_cluster}" get secret "${secret_name}" -o jsonpath='{ .data.token }' -n "${NAMESPACE}" | base64 -d)"
+      if [[ -n "${member_cluster_token}" ]]; then
+        break
+      fi
+      sleep 1
+    done
+    if [[ -z "${member_cluster_token}" ]]; then
+      echo "Error: .data.token not populated for secret ${secret_name} in cluster ${member_cluster}"
+      exit 1
+    fi
     # for 2 cluster tests central cluster is the first member, so we cannot add this as it will result in duplicate key and error in create secret
     if [[ "${member_cluster}" != "${CENTRAL_CLUSTER}" ]]; then
       configuration_params+=(

scripts/release/atomic_pipeline.py

@@ -77,19 +77,20 @@ def build_image(
     # Build the image once with all repository tags
     tags = []
     for registry in registries:
-        tag = f"{registry}:{build_configuration.version}"
+        arch_suffix = ""
+        if build_configuration.architecture_suffix and len(build_configuration.platforms) == 1:
+            arch_suffix = f"-{build_configuration.platforms[0].split("/")[1]}"
+
+        tag = f"{registry}:{build_configuration.version}{arch_suffix}"
         if build_configuration.skip_if_exists and check_if_image_exists(tag):
             logger.info(f"Image with tag {tag} already exists. Skipping it.")
         else:
             tags.append(tag)
             if build_configuration.latest_tag:
-                tags.append(f"{registry}:latest")
+                tags.append(f"{registry}:latest{arch_suffix}")
             if build_configuration.olm_tag:
                 olm_tag = create_olm_version_tag(build_configuration.version)
-                tags.append(f"{registry}:{olm_tag}")
-            if build_configuration.architecture_suffix and len(build_configuration.platforms) == 1:
-                arch = build_configuration.platforms[0].split("/")[1]
-                tags.append(f"{tag}-{arch}")
+                tags.append(f"{registry}:{olm_tag}{arch_suffix}")
 
     if not tags:
         logger.info("All specified image tags already exist. Skipping build.")

scripts/release/kubectl_mongodb/sign.sh

@@ -8,7 +8,7 @@ set -euo pipefail
 # Sign a binary using garasign credentials
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 TMPDIR=${TMPDIR:-/tmp}
 SIGNING_ENVFILE="${TMPDIR}/signing-envfile"
@@ -21,7 +21,7 @@ SIGNING_IMAGE_URI=${SIGNING_IMAGE_URI}
 ARTIFACTORY_PASSWORD=${ARTIFACTORY_PASSWORD}
 ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME}
 
-echo "Signing artifact ${ARTIFACT} and saving signature to ${SIGNATURE}"
+echo "Signing artifact ${ARTIFACT} and saving signature bundle to ${SIGNATURE_BUNDLE}"
 
 {
   echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}";
@@ -40,4 +40,4 @@ docker run \
   -v "$(pwd)":"$(pwd)" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign sign-blob --key "${PKCS11_URI}" --output-signature "${SIGNATURE}" "${ARTIFACT}" --yes
+  cosign sign-blob --key "${PKCS11_URI}" --tlog-upload=false --use-signing-config=false --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}" --yes

scripts/release/kubectl_mongodb/verify.sh

@@ -2,10 +2,10 @@
 
 set -euo pipefail
 
-# Verify the signature of a binary with the operator's public key
+# Verify the signature bundle of a binary with the operator's public key
 
 ARTIFACT=$1
-SIGNATURE="${ARTIFACT}.sig"
+SIGNATURE_BUNDLE="${ARTIFACT}.bundle"
 
 HOSTED_SIGN_PUBKEY="https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem" # to complete
 TMPDIR=${TMPDIR:-/tmp}
@@ -14,19 +14,19 @@ KEY_FILE="${TMPDIR}/host-public.key"
 SIGNING_IMAGE_URI="${SIGNING_IMAGE_URI}"
 
 curl -o "${KEY_FILE}" "${HOSTED_SIGN_PUBKEY}"
-echo "Verifying signature ${SIGNATURE} of artifact ${ARTIFACT}"
+echo "Verifying signature bundle ${SIGNATURE_BUNDLE} of artifact ${ARTIFACT}"
 echo "Keyfile is ${KEY_FILE}"
 
 # When working locally, the following command can be used instead of Docker
-# cosign verify-blob --key ${KEY_FILE} --signature ${SIGNATURE} ${ARTIFACT}
+# cosign verify-blob --key ${KEY_FILE} --insecure-ignore-tlog --bundle ${SIGNATURE_BUNDLE} ${ARTIFACT}
 
 docker run \
   --rm \
   -v "$(pwd)":"$(pwd)" \
   -v "${KEY_FILE}":"${KEY_FILE}" \
   -w "$(pwd)" \
   "${SIGNING_IMAGE_URI}" \
-  cosign verify-blob --key "${KEY_FILE}" --signature "${SIGNATURE}" "${ARTIFACT}"
+  cosign verify-blob --key "${KEY_FILE}" --insecure-ignore-tlog --bundle "${SIGNATURE_BUNDLE}" "${ARTIFACT}"
 
-# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.sig: permission denied
-sudo chmod 666 "${SIGNATURE}"
+# Without below line, Evergreen fails at archiving with "open dist/kubectl-[...]/kubectl-mongodb.bundle: permission denied
+sudo chmod 666 "${SIGNATURE_BUNDLE}"

scripts/release/publish_helm_chart.py

@@ -3,10 +3,10 @@
 import subprocess
 
 import yaml
-from release.build.build_scenario import SUPPORTED_SCENARIOS
 
 from lib.base_logger import logger
 from scripts.release.build.build_info import *
+from scripts.release.build.build_scenario import SUPPORTED_SCENARIOS
 
 CHART_DIR = "helm_chart"