[CLOUDP-352579] Add evergreen function to promote and release kubectl plugin (#325)

Author: viveksinghggits

.evergreen-functions.yml

@@ -512,7 +512,7 @@ functions:
     - command: subprocess.exec
       params:
         working_dir: src/github.com/mongodb/mongodb-kubernetes
-        binary: scripts/dev/run_python.sh scripts/release/kubectl-mongodb/python/build_kubectl_plugin.py
+        binary: scripts/dev/run_python.sh scripts/release/kubectl_mongodb/python/build_kubectl_plugin.py
 
   build_and_push_appdb_database:
     - command: subprocess.exec
@@ -888,7 +888,7 @@ functions:
   release_kubectl_mongodb_plugin:
     - command: github.generate_token
       params:
-        expansion_name: generated_token
+        expansion_name: GH_TOKEN
     - command: shell.exec
       type: setup
       params:
@@ -911,10 +911,5 @@ functions:
           GOROOT: "/opt/golang/go1.24"
           MACOS_NOTARY_KEY: ${macos_notary_keyid}
           MACOS_NOTARY_SECRET: ${macos_notary_secret}
-        # shell.exec EVG Task doesn't have add_to_path, so we need to explicitly add the path export below.
-        script: |
-          set -Eeu pipefail
-          export GORELEASER_CURRENT_TAG=${OPERATOR_VERSION|*triggered_by_git_tag}
-          export PATH=$GOROOT/bin:$PATH
-          export GITHUB_TOKEN=${generated_token}
-          ${workdir}/goreleaser release --clean
+          GH_TOKEN: ${GH_TOKEN}
+        script: scripts/dev/run_python.sh scripts/release/kubectl_mongodb/python/promote_kubectl_plugin.py

.evergreen-release.yml

@@ -121,6 +121,7 @@ tasks:
       - func: clone
       - func: install_goreleaser
       - func: install_macos_notarization_service
+      - func: python_venv
       - func: release_kubectl_mongodb_plugin
 
   - name: create_chart_release_pr

.goreleaser.yaml

@@ -19,9 +19,9 @@ builds:
     hooks:
       # This will notarize Apple binaries and replace goreleaser bins with the notarized ones
       post:
-        - cmd: ./scripts/release/kubectl-mongodb/kubectl_mac_notarize.sh
+        - cmd: ./scripts/release/kubectl_mongodb/kubectl_mac_notarize.sh
           output: true
-        - cmd: ./scripts/release/kubectl-mongodb/sign.sh {{ .Path }}
+        - cmd: ./scripts/release/kubectl_mongodb/sign.sh {{ .Path }}
           env:
             - GRS_USERNAME={{ .Env.GRS_USERNAME }}
             - GRS_PASSWORD={{ .Env.GRS_PASSWORD }}
@@ -30,7 +30,7 @@ builds:
             - SIGNING_IMAGE_URI={{ .Env.SIGNING_IMAGE_URI }}
             - ARTIFACTORY_USERNAME=mongodb-enterprise-kubernetes-operator
             - ARTIFACTORY_PASSWORD={{ .Env.ARTIFACTORY_PASSWORD }}
-        - cmd: ./scripts/release/kubectl-mongodb/verify.sh {{ .Path }} && echo "VERIFIED OK"
+        - cmd: ./scripts/release/kubectl_mongodb/verify.sh {{ .Path }} && echo "VERIFIED OK"
 
 archives:
   - format: tar.gz

scripts/release/kubectl_mongodb/install_istio_separate_network.sh

@@ -0,0 +1,188 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# define here or provide the cluster names externally
+export CTX_CLUSTER1=${CTX_CLUSTER1}
+export CTX_CLUSTER2=${CTX_CLUSTER2}
+export CTX_CLUSTER3=${CTX_CLUSTER3}
+export ISTIO_VERSION=${ISTIO_VERSION}
+
+# download Istio under the path
+curl -L https://istio.io/downloadIstio | sh -
+
+# checks if external IP has been assigned to a service object, in our case we are interested in east-west gateway
+function_check_external_ip_assigned() {
+ while : ; do
+   ip=$(kubectl --context="$1" get svc istio-eastwestgateway -n istio-system --output jsonpath='{.status.loadBalancer.ingress[0].ip}')
+   if [ -n "${ip}" ]
+   then
+     echo "external ip assigned ${ip}"
+     break
+   else
+     echo "waiting for external ip to be assigned"
+   fi
+done
+}
+
+cd "istio-${ISTIO_VERSION}"
+mkdir -p certs
+pushd certs
+
+# create root trust for the clusters
+make -f ../tools/certs/Makefile.selfsigned.mk root-ca
+make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER1}-cacerts"
+make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER2}-cacerts"
+make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts"
+
+kubectl --context="${CTX_CLUSTER1}" create ns istio-system
+kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \
+      --from-file="${CTX_CLUSTER1}/ca-cert.pem" \
+      --from-file="${CTX_CLUSTER1}/ca-key.pem" \
+      --from-file="${CTX_CLUSTER1}/root-cert.pem" \
+      --from-file="${CTX_CLUSTER1}/cert-chain.pem"
+
+kubectl --context="${CTX_CLUSTER2}" create ns istio-system
+kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \
+      --from-file="${CTX_CLUSTER2}/ca-cert.pem" \
+      --from-file="${CTX_CLUSTER2}/ca-key.pem" \
+      --from-file="${CTX_CLUSTER2}/root-cert.pem" \
+      --from-file="${CTX_CLUSTER2}/cert-chain.pem"
+
+kubectl --context="${CTX_CLUSTER3}" create ns istio-system
+kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \
+      --from-file="${CTX_CLUSTER3}/ca-cert.pem" \
+      --from-file="${CTX_CLUSTER3}/ca-key.pem" \
+      --from-file="${CTX_CLUSTER3}/root-cert.pem" \
+      --from-file="${CTX_CLUSTER3}/cert-chain.pem"
+popd
+
+# label namespace in cluster1
+kubectl --context="${CTX_CLUSTER1}" get namespace istio-system && \
+  kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1
+
+cat <<EOF > cluster1.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster1
+      network: network1
+EOF
+bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml
+samples/multicluster/gen-eastwest-gateway.sh \
+    --mesh mesh1 --cluster cluster1 --network network1 | \
+    bin/istioctl --context="${CTX_CLUSTER1}" install -y -f -
+
+
+# check if external IP is assigned to east-west gateway in cluster1
+function_check_external_ip_assigned "${CTX_CLUSTER1}"
+
+
+# expose services in cluster1
+kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \
+    samples/multicluster/expose-services.yaml
+
+
+kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \
+  kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2
+
+
+cat <<EOF > cluster2.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster2
+      network: network2
+EOF
+
+bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml
+
+samples/multicluster/gen-eastwest-gateway.sh \
+    --mesh mesh1 --cluster cluster2 --network network2 | \
+    bin/istioctl --context="${CTX_CLUSTER2}" install -y -f -
+
+# check if external IP is assigned to east-west gateway in cluster2
+function_check_external_ip_assigned "${CTX_CLUSTER2}"
+
+kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \
+    samples/multicluster/expose-services.yaml
+
+# cluster3
+kubectl --context="${CTX_CLUSTER3}" get namespace istio-system && \
+  kubectl --context="${CTX_CLUSTER3}" label namespace istio-system topology.istio.io/network=network3
+
+cat <<EOF > cluster3.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: cluster3
+      network: network3
+EOF
+
+bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml
+
+samples/multicluster/gen-eastwest-gateway.sh \
+    --mesh mesh1 --cluster cluster3 --network network3 | \
+    bin/istioctl --context="${CTX_CLUSTER3}" install -y -f -
+
+
+# check if external IP is assigned to east-west gateway in cluster3
+function_check_external_ip_assigned "${CTX_CLUSTER3}"
+
+kubectl --context="${CTX_CLUSTER3}" apply -n istio-system -f \
+    samples/multicluster/expose-services.yaml
+
+
+# enable endpoint discovery
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER1}" \
+  -n istio-system \
+  --name=cluster1 | \
+  kubectl apply -f - --context="${CTX_CLUSTER2}"
+
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER1}" \
+  -n istio-system \
+  --name=cluster1 | \
+  kubectl apply -f - --context="${CTX_CLUSTER3}"
+
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER2}" \
+  -n istio-system \
+  --name=cluster2 | \
+  kubectl apply -f - --context="${CTX_CLUSTER1}"
+
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER2}" \
+  -n istio-system \
+  --name=cluster2 | \
+  kubectl apply -f - --context="${CTX_CLUSTER3}"
+
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER3}" \
+  -n istio-system \
+  --name=cluster3 | \
+  kubectl apply -f - --context="${CTX_CLUSTER1}"
+
+bin/istioctl x create-remote-secret \
+  --context="${CTX_CLUSTER3}" \
+  -n istio-system \
+  --name=cluster3 | \
+  kubectl apply -f - --context="${CTX_CLUSTER2}"
+
+  # cleanup: delete the istio repo at the end
+cd ..
+rm -r "istio-${ISTIO_VERSION}"
+rm -f cluster1.yaml cluster2.yaml cluster3.yaml

scripts/release/kubectl-mongodb/kubectl_mac_notarize.sh renamed to scripts/release/kubectl_mongodb/kubectl_mac_notarize.sh

@@ -20,16 +20,27 @@ set -Eeou pipefail
 # This depends on binaries being generated in a goreleaser manner and gon being set up.
 # goreleaser should already take care of calling this script as a hook.
 
-if [[ -f "./dist/kubectl-mongodb_darwin_amd64_v1/kubectl-mongodb" && -f "./dist/kubectl-mongodb_darwin_arm64/kubectl-mongodb" && ! -f "./dist/kubectl-mongodb_macos_signed.zip" ]]; then
+if [ -z "${1-}" ]; then
+  echo "Error: Missing required argument <version> as first positional parameter to script"
+  echo "Usage: ./kubectl_mac_notarize.sh <version>"
+  exit 1
+fi
+
+version=$1
+
+darwin_amd64_dir="./artifacts/kubectl-mongodb_${version}_darwin_amd64"
+darwin_arm64_dir="./artifacts/kubectl-mongodb_${version}_darwin_arm64"
+
+if [[ -f "${darwin_amd64_dir}/kubectl-mongodb" && -f "${darwin_arm64_dir}/kubectl-mongodb" && ! -f "./artifacts/kubectl-mongodb_macos_signed.zip" ]]; then
 	echo "notarizing macOs binaries"
-	zip -r ./dist/kubectl-mongodb_amd64_arm64_bin.zip ./dist/kubectl-mongodb_darwin_amd64_v1/kubectl-mongodb ./dist/kubectl-mongodb_darwin_arm64/kubectl-mongodb # The Notarization Service takes an archive as input
+	zip -r ./artifacts/kubectl-mongodb_amd64_arm64_bin.zip "${darwin_amd64_dir}/kubectl-mongodb" "${darwin_arm64_dir}/kubectl-mongodb" # The Notarization Service takes an archive as input
 	"${workdir:-.}"/linux_amd64/macnotary \
-		-f ./dist/kubectl-mongodb_amd64_arm64_bin.zip \
+		-f ./artifacts/kubectl-mongodb_amd64_arm64_bin.zip \
 		-m notarizeAndSign -u https://dev.macos-notary.build.10gen.cc/api \
 		-b com.mongodb.mongodb-kubectl-mongodb \
-		-o ./dist/kubectl-mongodb_macos_signed.zip
+		-o ./artifacts/kubectl-mongodb_macos_signed.zip
 
 	echo "replacing original files"
-	unzip -oj ./dist/kubectl-mongodb_macos_signed.zip dist/kubectl-mongodb_darwin_amd64_v1/kubectl-mongodb -d ./dist/kubectl-mongodb_darwin_amd64_v1/
-	unzip -oj ./dist/kubectl-mongodb_macos_signed.zip dist/kubectl-mongodb_darwin_arm64/kubectl-mongodb -d ./dist/kubectl-mongodb_darwin_arm64/
+	unzip -oj ./artifacts/kubectl-mongodb_macos_signed.zip "artifacts/kubectl-mongodb_${version}_darwin_amd64/kubectl-mongodb" -d "${darwin_amd64_dir}/"
+	unzip -oj ./artifacts/kubectl-mongodb_macos_signed.zip "artifacts/kubectl-mongodb_${version}_darwin_arm64/kubectl-mongodb" -d "${darwin_arm64_dir}/"
 fi

scripts/release/kubectl-mongodb/python/build_kubectl_plugin.py renamed to scripts/release/kubectl_mongodb/python/build_kubectl_plugin.py

@@ -9,13 +9,10 @@
 from scripts.release.build.build_info import (
     load_build_info,
 )
+from scripts.release.kubectl_mongodb.python.consts import *
 
-AWS_REGION = "eu-north-1"
-KUBECTL_PLUGIN_BINARY_NAME = "kubectl-mongodb"
 S3_BUCKET_KUBECTL_PLUGIN_SUBPATH = KUBECTL_PLUGIN_BINARY_NAME
 
-GORELEASER_DIST_DIR = "dist"
-
 
 def run_goreleaser():
     try:

scripts/release/kubectl_mongodb/python/consts.py

@@ -0,0 +1,12 @@
+AWS_REGION = "eu-north-1"
+KUBECTL_PLUGIN_BINARY_NAME = "kubectl-mongodb"
+
+GITHUB_REPO = "mongodb/mongodb-kubernetes"
+
+LOCAL_ARTIFACTS_DIR = "artifacts"
+CHECKSUMS_PATH = f"{LOCAL_ARTIFACTS_DIR}/checksums.txt"
+
+GORELEASER_DIST_DIR = "dist"
+
+BUILD_SCENARIO_RELEASE = "release"
+BUILD_SCENARIO_STAGING = "staging"