Skip to content

Enable mistakenly disabled image signing + conform to new cosign version #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable mistakenly disabled image signing + conform to new cosign version #563

wants to merge 1 commit into from

Conversation

@MaciejKaras
Copy link
Collaborator

@MaciejKaras MaciejKaras commented Oct 30, 2025
edited
Loading

Summary

Image signing was disabled globally by mistake. This change fixes the issue while adjusting to the new cosign version.

Proof of Work

On staging we now successfully signs images -> https://evergreen.mongodb.com/version/6903557435b1f60007ee8cfa?redirect_spruce_users=true

[2025/10/30 13:23:52.472] Login Succeeded [2025/10/30 13:23:52.472] INFO 2025-10-30 12:23:52,472 [atomic_pipeline] Signing image [2025/10/30 13:23:52.472] DEBUG 2025-10-30 12:23:52,472 [image_signing] Signing image 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-init-appdb:1.6.0-mk [2025/10/30 13:24:17.675] DEBUG 2025-10-30 12:24:17,675 [image_signing] Signing successful [2025/10/30 13:24:17.675] DEBUG 2025-10-30 12:24:17,675 [image_signing] Verifying signature of 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes-init-appdb:1.6.0-mk [2025/10/30 13:24:21.009] DEBUG 2025-10-30 12:24:18,491 [image_signing] Successful verification [2025/10/30 13:24:21.009] Finished command 'subprocess.exec' in function 'pipeline' (step 3 of 3) in 5m3.441945822s.

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you added changelog file?
@github-actions
Copy link

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.6.0 Release Notes

New Features

  • MongoDBCommunity: Added support to configure custom cluster domain via newly introduced spec.clusterDomain resource field. If spec.clusterDomain is not set, environment variable CLUSTER_DOMAIN is used as cluster domain. If the environment variable CLUSTER_DOMAIN is also not set, operator falls back to cluster.local as default cluster domain.
  • Helm Chart: Introduced two new helm fields operator.podSecurityContext and operator.securityContext that can be used to configure securityContext for Operator deployment through Helm Chart.

Bug Fixes

  • Fixed parsing of the customEnvVars Helm value when values contain = characters.
  • ReplicaSet: Blocked disabling TLS and changing member count simultaneously. These operations must now be applied separately to prevent configuration inconsistencies.

Other Changes

  • kubectl-mongodb plugin: cosign, the signing tool that is used to sign kubectl-mongodb plugin binaries, has been updated to version 3.0.2. With this change, released binaries will be bundled with .bundle files containing both signature and certificate information. For more information on how to verify signatures using new cosign version please refer to -> https://github.com/sigstore/cosign/blob/v3.0.2/doc/cosign_verify-blob.md
@MaciejKaras MaciejKaras added the skip-changelog Use this label in Pull Request to not require new changelog entry file label Oct 30, 2025
MaciejKaras
MaciejKaras commented Oct 30, 2025
View reviewed changes
scripts/release/pipeline.py
"-s",
"--sign",
action="store_true",
action=argparse.BooleanOptionalAction,
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sign was always set and it was overriding the value from build_info.json:

sign = args.sign if args.sign is not None else image_build_info.sign
@MaciejKaras MaciejKaras marked this pull request as ready for review October 30, 2025 12:25
@MaciejKaras MaciejKaras requested a review from a team as a code owner October 30, 2025 12:25
@MaciejKaras MaciejKaras requested review from Julien-Ben, mircea-cosbuc and nammn and removed request for nammn October 30, 2025 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog Use this label in Pull Request to not require new changelog entry file

2 participants

@MaciejKaras