CLOUDP-295785 - release tasks integration with atomic_pipeline.py (#344)

# Summary

⚠️ **Important notice**

This PR contains some changes from
#336, but they are not
used yet and don't impact the PRs or patches. They are included because
previously this PR was stacked on the staging PR and it is much easier
to include them. The changes that are included:
- `latest_tag` support - this is needed for staging builds, but like
mentioned earlier, staging builds are not yet used
- replace `268558157000.dkr.ecr.us-east-1.amazonaws.com/dev` with
`BASE_REPO_URL`. This will be used to distinguish different repo urls:
dev, staging and release. Currently hardcoded to
`268558157000.dkr.ecr.us-east-1.amazonaws.com/dev`
---

**This change is made to unblock the release of MCK 1.3.0. It is not
final state of the release mechanism and most of it will be replaced by
image promotion process.**

Created new `.evergreen-release.yml` file that contains all release
tasks including integration with `kubectl-mongodb` plugin release task.
All of the variants are triggered only when `github_tag` is added.

Additional changes:
- each released image will be also released with additional `olm_tag`
that has dynamic timestamp part. It will prevent accidental overriding
the tags used by OLM. The tag syntax is
`{version}-olm-{timestamp_suffix}` where timestamp suffix is in
`%Y%m%d%H%M%S` format
- created separate `release_operator_pipeline` evergreen function that
uses `release` build scenario and version provided by `git_tag`
- fixed and bumped preflight script

## Proof of Work

List of tasks that are triggered when doing manual patch:
<img width="2036" height="1017" alt="Screenshot 2025-09-03 at 11 00 16"
src="https://github.com/user-attachments/assets/b3e7e707-3929-4f88-bc4f-2f998a16482a"
/>


⚠️ This PR was tested by running evergreen command locally:
```
sudo evergreen patch -p mongodb-kubernetes -a release -d "Release test" -f -y -u --browse --path .evergreen.yml --param RELEASE_OPERATOR_VERSION=1.3.0-rc
```

Link to evg job
-> https://spruce.mongodb.com/version/68b81b45285a950007bc8398

## Checklist

- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you added changelog file?
    - use `skip-changelog` label if not needed
- refer to [Changelog files and Release
Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes)
section in CONTRIBUTING.md for more details

Author: MaciejKaras

.evergreen-functions.yml

@@ -46,6 +46,9 @@ variables:
       - workdir
       # temporary secret to pull community private preview image from quay.io
       - community_private_preview_pullsecret_dockerconfigjson
+      - RELEASE_INITIAL_VERSION
+      - RELEASE_INITIAL_COMMIT_SHA
+      - RELEASE_OPERATOR_VERSION
 
 functions:
 
@@ -564,42 +567,18 @@ functions:
         working_dir: src/github.com/mongodb/mongodb-kubernetes
         binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py --parallel ${image_name} ${all_agents} ${build_scenario}
 
-  # TODO: CLOUDP-335471 ; once all image builds are made with the new atomic pipeline, remove the following function
-  legacy_pipeline:
+  # TODO: this function is very similar to pipeline and it will joined with it in the future
+  release_operator_pipeline:
     - *switch_context
-    - command: shell.exec
-      type: setup
-      params:
-        shell: bash
-        script: |
-          # Docker Hub workaround
-          # docker buildx needs the moby/buildkit image when setting up a builder so we pull it from our mirror
-          docker buildx create --driver=docker-container --driver-opt=image=268558157000.dkr.ecr.eu-west-1.amazonaws.com/docker-hub-mirrors/moby/buildkit:buildx-stable-1 --use
-          docker buildx inspect --bootstrap
-    - command: ec2.assume_role
-      display_name: Assume IAM role with permissions to pull Kondukto API token
-      params:
-        role_arn: ${kondukto_role_arn}
-    - command: shell.exec
-      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
-      params:
-        silent: true
-        shell: bash
-        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
-        script: |
-          set -e
-          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
-          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
-          # write the KONDUKTO_TOKEN environment variable to Silkbomb environment file
-          echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/silkbomb.env
     - command: subprocess.exec
       retry_on_failure: true
       type: setup
       params:
         shell: bash
         <<: *e2e_include_expansions_in_env
         working_dir: src/github.com/mongodb/mongodb-kubernetes
-        binary: scripts/dev/run_python.sh pipeline.py --include ${image_name} --parallel --sign
+        # By default, use the git tag that triggered the task which can be overridden with RELEASE_OPERATOR_VERSION
+        binary: scripts/dev/run_python.sh scripts/release/pipeline_main.py ${image_name} --build-scenario release --version ${RELEASE_OPERATOR_VERSION|*triggered_by_git_tag}
 
   teardown_cloud_qa_all:
     - *switch_context
@@ -855,3 +834,65 @@ functions:
           - task_name
         script: |
           ./scripts/code_snippets/${task_name}_test.sh
+
+  #
+  # kubectl mongodb plugin release functions
+  #
+  install_goreleaser:
+    - command: shell.exec
+      type: setup
+      include_expansions_in_env:
+        - goreleaser_pro_tar_gz
+      params:
+        script: |
+          set -Eeu pipefail
+          curl -fL "${goreleaser_pro_tar_gz}" --output goreleaser_Linux_x86_64.tar.gz
+          tar -xf goreleaser_Linux_x86_64.tar.gz
+          chmod 755 ./goreleaser
+
+  install_macos_notarization_service:
+    - command: shell.exec
+      type: setup
+      params:
+        include_expansions_in_env:
+          - notary_service_url
+        script: |
+          set -Eeu pipefail
+
+          curl "${notary_service_url}" --output macos-notary.zip
+          unzip -u macos-notary.zip
+          chmod 755 ./linux_amd64/macnotary
+
+  release_kubectl_mongodb_plugin:
+    - command: github.generate_token
+      params:
+        expansion_name: generated_token
+    - command: shell.exec
+      type: setup
+      params:
+        working_dir: src/github.com/mongodb/mongodb-kubernetes
+        include_expansions_in_env:
+          - GRS_USERNAME
+          - GRS_PASSWORD
+          - PKCS11_URI
+          - ARTIFACTORY_URL
+          - ARTIFACTORY_PASSWORD
+          - SIGNING_IMAGE_URI
+          - macos_notary_keyid
+          - macos_notary_secret
+          - workdir
+          - triggered_by_git_tag
+          - RELEASE_OPERATOR_VERSION
+        env:
+          XDG_CONFIG_HOME: ${go_base_path}${workdir}
+          GO111MODULE: "on"
+          GOROOT: "/opt/golang/go1.24"
+          MACOS_NOTARY_KEY: ${macos_notary_keyid}
+          MACOS_NOTARY_SECRET: ${macos_notary_secret}
+        # shell.exec EVG Task doesn't have add_to_path, so we need to explicitly add the path export below.
+        script: |
+          set -Eeu pipefail
+          export GORELEASER_CURRENT_TAG=${RELEASE_OPERATOR_VERSION|*triggered_by_git_tag}
+          export PATH=$GOROOT/bin:$PATH
+          export GITHUB_TOKEN=${generated_token}
+          ${workdir}/goreleaser release --clean