[CLOUDP-350669] Publish helm chart to OCI registry for dev/staging workflows (#507)

# Summary

In an effort to start using OCI compatible container registries as our
helm chart repos, this PR makes the change package and publish our helm
chart to ECR registry. A new task `publish_helm_chart` is introduced in
the build variant `init_test_run` which packages and publishes the
chart.

The details about the versioning of the chart can be found in the
document
[here](https://docs.google.com/document/d/1eJ8iKsI0libbpcJakGjxcPfbrTn8lmcZDbQH1UqMR_g/edit?tab=t.gg5ble8qlesq).

There were two wrappers (shell scripts) introduced as part of this and
the reason was we wanted to call the python scripts
(`helm_registry_login.py` and `publish_helm_chart.py`) from
`.evergreen-function.yaml` passing an argument that's build scenario.
Build scenario is already set as env var in the evg host, but there
isn't a way to do this, in other words, we couldn't do below from the
`.evergreen-functions.yaml` file

```
binary: binary: run_python.sh scripts/release/helm_registry_login.sh $build_scenario_that_is_set_as_env_on_host
``` 

And because of that we had to write the wrapper that would call the
python script with correct argument after reading the env var.


## Proof of Work


[patch](https://spruce.mongodb.com/task/mongodb_kubernetes_init_test_run_publish_helm_chart_patch_749c1a3f3302ef2bc3f70ed683dd2e522bd94bef_68e91082554272000716941c_25_10_10_13_56_20/logs?execution=0)
and
[staging](https://spruce.mongodb.com/task/mongodb_kubernetes_init_test_run_publish_helm_chart_patch_749c1a3f3302ef2bc3f70ed683dd2e522bd94bef_68e91366a609a6000785b403_25_10_10_14_08_40/logs?execution=0)
evg runs. Notice at the end of the log that dev workflow is pushing to
diff repository and staging to different.

Successful run of `init_test_run` variant in this PR would also work. 

## Checklist

- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you added changelog file?
    - use `skip-changelog` label if not needed
- refer to [Changelog files and Release
Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes)
section in CONTRIBUTING.md for more details

Author: viveksinghggits

.evergreen-functions.yml

@@ -222,6 +222,16 @@ functions:
         working_dir: src/github.com/mongodb/mongodb-kubernetes
         binary: scripts/evergreen/setup_docker_sbom.sh
 
+  helm_registry_login:
+    command: subprocess.exec
+    type: setup
+    params:
+      working_dir: src/github.com/mongodb/mongodb-kubernetes
+      add_to_path:
+        - ${workdir}/bin
+        - ${PROJECT_DIR}/bin
+      binary: scripts/release/helm_registry_login.sh
+
   # Logs into all used registries
   configure_docker_auth: &configure_docker_auth
     command: subprocess.exec
@@ -491,6 +501,13 @@ functions:
           - rh_pyxis
         binary: scripts/dev/run_python.sh scripts/preflight_images.py --image ${image_name} --submit "${preflight_submit}"
 
+  # publish_helm_chart packages and publishes the MCK helm chart to the OCI container registry
+  publish_helm_chart:
+    - command: subprocess.exec
+      params:
+        working_dir: src/github.com/mongodb/mongodb-kubernetes
+        binary: scripts/release/publish_helm_chart.sh
+
   build_multi_cluster_binary:
     - command: subprocess.exec
       type: setup

.evergreen.yml

@@ -453,6 +453,16 @@ tasks:
       - func: setup_building_host
       - func: pipeline_version_upgrade_hook
 
+  - name: publish_helm_chart
+    commands:
+      - func: clone
+      - func: python_venv
+      - func: setup_kubectl
+      - func: setup_aws
+      - func: prepare_aws
+      - func: helm_registry_login
+      - func: publish_helm_chart
+
   - name: prepare_aws
     priority: 59
     commands:
@@ -1706,6 +1716,7 @@ buildvariants:
       - name: build_readiness_probe_image
       - name: build_version_upgrade_hook_image
       - name: prepare_aws
+      - name: publish_helm_chart
 
   - name: init_test_run_ibm_power
     display_name: init_test_run_ibm_power

.gitignore

@@ -93,3 +93,6 @@ docs/**/test.sh.run.log
 dist
 logs
 *.run.log
+
+# locally packaged chart
+mongodb-kubernetes-*.tgz

build_info.json

@@ -379,15 +379,20 @@
   "helm-charts": {
     "mongodb-kubernetes": {
       "patch": {
-        "repositories": ["268558157000.dkr.ecr.us-east-1.amazonaws.com/dev/helm-charts"]
+        "registry": "268558157000.dkr.ecr.us-east-1.amazonaws.com",
+        "region": "us-east-1",
+        "repository": "dev/mongodb/helm-charts"
       },
       "staging": {
         "sign": true,
-        "repositories": ["268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/helm-charts"]
+        "registry": "268558157000.dkr.ecr.us-east-1.amazonaws.com",
+        "region": "us-east-1",
+        "repository": "staging/mongodb/helm-charts"
       },
       "release": {
         "sign": true,
-        "repositories": ["quay.io/mongodb/helm-charts"]
+        "registry": "quay.io",
+        "repository": "mongodb/helm-charts"
       }
     }
   }

scripts/release/build/build_info.py

@@ -40,7 +40,9 @@ class BinaryInfo:
 
 @dataclass
 class HelmChartInfo:
-    repositories: List[str]
+    repository: str
+    registry: str
+    region: str
     sign: bool = False
 
 
@@ -106,8 +108,10 @@ def load_build_info(scenario: BuildScenario) -> BuildInfo:
             continue
 
         helm_charts[name] = HelmChartInfo(
-            repositories=scenario_data["repositories"],
+            repository=scenario_data.get("repository"),
             sign=scenario_data.get("sign", False),
+            registry=scenario_data.get("registry"),
+            region=scenario_data.get("region")
         )
 
     return BuildInfo(images=images, binaries=binaries, helm_charts=helm_charts)

scripts/release/helm_registry_login.py

@@ -0,0 +1,78 @@
+import argparse
+import os
+import subprocess
+import sys
+
+from lib.base_logger import logger
+from scripts.release.build.build_info import load_build_info
+
+
+def helm_registry_login(helm_registry: str, region: str):
+    logger.info(f"Attempting to log into ECR registry: {helm_registry}, using helm registry login.")
+
+    aws_command = ["aws", "ecr", "get-login-password", "--region", region]
+
+    # as we can see the password is being provided by stdin, that would mean we will have to
+    # pipe the aws_command (it figures out the password) into helm_command.
+    helm_command = ["helm", "registry", "login", "--username", "AWS", "--password-stdin", helm_registry]
+
+    try:
+        logger.info("Starting AWS ECR credential retrieval.")
+        aws_proc = subprocess.Popen(
+            aws_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True  # Treat input/output as text strings
+        )
+
+        logger.info("Starting Helm registry login.")
+        helm_proc = subprocess.Popen(
+            helm_command, stdin=aws_proc.stdout, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True
+        )
+
+        # Close the stdout stream of aws_proc in the parent process
+        # to prevent resource leakage (only needed if you plan to do more processing)
+        aws_proc.stdout.close()
+
+        # Wait for the Helm command (helm_proc) to finish and capture its output
+        helm_stdout, helm_stderr = helm_proc.communicate()
+
+        # Wait for the AWS process to finish as well
+        aws_proc.wait()
+
+        if aws_proc.returncode != 0:
+            _, aws_stderr = aws_proc.communicate()
+            raise Exception(f"aws command to get password failed. Error: {aws_stderr}")
+
+        if helm_proc.returncode == 0:
+            logger.info("Login to helm registry was successful.")
+            logger.info(helm_stdout.strip())
+        else:
+            raise Exception(
+                f"Login to helm registry failed, Exit code: {helm_proc.returncode}, Error: {helm_stderr.strip()}"
+            )
+
+    except FileNotFoundError as e:
+        # This catches errors if 'aws' or 'helm' are not in the PATH
+        raise Exception(f"Command not found. Please ensure '{e.filename}' is installed and in your system's PATH.")
+    except Exception as e:
+        raise Exception(f"An unexpected error occurred: {e}.")
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Script to login to the dev/staging helm registries.")
+    parser.add_argument("--build_scenario", type=str, help="Build scenario (e.g., patch, staging etc).")
+    args = parser.parse_args()
+
+    build_scenario = args.build_scenario
+
+    build_info = load_build_info(build_scenario)
+
+    registry = build_info.helm_charts["mongodb-kubernetes"].registry
+    region = build_info.helm_charts["mongodb-kubernetes"].region
+    return helm_registry_login(registry, region)
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except Exception as e:
+        logger.error(f"Failed while logging in to the helm registry. Error: {e}")
+        sys.exit(1)

scripts/release/helm_registry_login.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -Eeou pipefail
+
+# Instead of calling the publish_helm_chart.py directly from .evergreen-functions.yaml
+# we are calling that via this .sh so that we can easily pass build_scenario from env var that
+# is set via context files. Using the env vars, set via context files, in .evergreen configuraiton 
+# is not that straightforward.
+source scripts/dev/set_env_context.sh
+
+scripts/dev/run_python.sh scripts/release/helm_registry_login.py --build_scenario "${BUILD_SCENARIO}"

scripts/release/publish_helm_chart.py

@@ -0,0 +1,119 @@
+import argparse
+import os
+import subprocess
+import sys
+
+import yaml
+
+from lib.base_logger import logger
+from scripts.release.build.build_info import *
+
+CHART_DIR = "helm_chart"
+
+
+def run_command(command: list[str]):
+    try:
+        # Using capture_output=True to grab stdout/stderr for better error logging.
+        process = subprocess.run(command, check=True, text=True, capture_output=True)
+        logger.info(f"Successfully executed: {' '.join(command)}")
+        if process.stdout:
+            logger.info(process.stdout)
+    except subprocess.CalledProcessError as e:
+        raise RuntimeError(f"Command {' '.join(command)} failed. Stderr: {e.stderr.strip()}") from e
+    except FileNotFoundError:
+        raise FileNotFoundError(
+            f"Error: {command[0]} command not found. Ensure {command[0]} is installed and in your PATH."
+        )
+
+
+# update_chart_and_get_metadata updates the helm chart's Chart.yaml and sets the version
+# to either evg patch id or commit which is set in OPERATOR_VERSION.
+def update_chart_and_get_metadata(chart_dir: str) -> tuple[str, str]:
+    chart_path = os.path.join(chart_dir, "Chart.yaml")
+    version_id = os.environ.get("OPERATOR_VERSION")
+    if not version_id:
+        raise ValueError(
+            "Error: Environment variable 'OPERATOR_VERSION' must be set to determine the chart version to publish."
+        )
+
+    new_version = f"0.0.0+{version_id}"
+    logger.info(f"New helm chart version will be: {new_version}")
+
+    if not os.path.exists(chart_path):
+        raise FileNotFoundError(
+            f"Error: Chart.yaml not found in directory '{chart_dir}'. "
+            "Please ensure the directory exists and contains a valid Chart.yaml."
+        )
+
+    try:
+        with open(chart_path, "r") as f:
+            data = yaml.safe_load(f)
+
+        chart_name = data.get("name")
+        if not chart_name:
+            raise ValueError("Chart.yaml is missing required 'name' field.")
+
+        data["version"] = new_version
+
+        with open(chart_path, "w") as f:
+            yaml.safe_dump(data, f, sort_keys=False)
+
+        logger.info(f"Successfully updated version for chart '{chart_name}' to '{new_version}'.")
+        return chart_name, new_version
+    except Exception as e:
+        raise RuntimeError(f"Failed to read or update Chart.yaml: {e}")
+
+
+def get_oci_registry(chart_info: HelmChartInfo) -> str:
+    registry = chart_info.registry
+    repo = chart_info.repository
+
+    if not registry:
+        raise ValueError("Error: registry doesn't seem to be set in HelmChartInfo.")
+
+    if not repo:
+        raise ValueError("Error: reposiotry doesn't seem to be set in HelmChartInfo.")
+
+    oci_registry = f"oci://{registry}/{repo}"
+    logger.info(f"Determined OCI Registry: {oci_registry}")
+    return oci_registry
+
+
+def publish_helm_chart(chart_info: HelmChartInfo):
+    try:
+        oci_registry = get_oci_registry(chart_info)
+        chart_name, chart_version = update_chart_and_get_metadata(CHART_DIR)
+        tgz_filename = f"{chart_name}-{chart_version}.tgz"
+
+        logger.info(f"Packaging chart: {chart_name} with Version: {chart_version}")
+        package_command = ["helm", "package", CHART_DIR]
+        run_command(package_command)
+
+        logger.info(f"Pushing chart to registry: {oci_registry}")
+        push_command = ["helm", "push", tgz_filename, oci_registry]
+        run_command(push_command)
+
+        logger.info(f"Helm Chart {chart_name}:{chart_version} was published successfully!")
+    except Exception as e:
+        raise Exception(f"Failed publishing the helm chart {e}")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Script to publish helm chart to the OCI container registry, based on the build scenario."
+    )
+    parser.add_argument("--build_scenario", type=str, help="Build scenario (e.g., patch, staging etc).")
+    args = parser.parse_args()
+
+    build_scenario = args.build_scenario
+    build_info = load_build_info(build_scenario)
+
+    return publish_helm_chart(build_info.helm_charts["mongodb-kubernetes"])
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except Exception as e:
+        logger.error(f"Failure in the helm publishing process {e}")
+        sys.exit(1)

scripts/release/publish_helm_chart.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+# Instead of calling the publish_helm_chart.py directly from .evergreen-functions.yaml
+# we are calling that via this .sh so that we can easily pass build_scenario from env var that
+# is set via context files. Using the env vars, set via context files, in .evergreen configuraiton 
+# is not that straightforward.
+set -Eeou pipefail
+
+source scripts/dev/set_env_context.sh
+
+scripts/dev/run_python.sh scripts/release/publish_helm_chart.py --build_scenario "${BUILD_SCENARIO}"

scripts/release/release_info.py

@@ -66,7 +66,8 @@ def convert_to_release_info_json(build_info: BuildInfo) -> dict:
 
     for name, chart in build_info.helm_charts.items():
         output["helm-charts"][name] = {
-            "repositories": chart.repositories,
+            "registry": chart.registry,
+            "repository": chart.repository,
             "version": DUMMY_VERSION,
         }