CLOUDP-338084 - removing and refactoring agent matrix from pipeline.py and atomic_pipeline.py

[nammn]

Summary

Why we do this

• since we don't do an agent matrix release anymore, there is no need to release all the agents we see on release.json. Instead we should only release the agent if PCT adds a new agent. That happens during OM and CM bumps, the new detection script should handle this and release the images

What changes

• adding a detection script that detects agent changes between local vs origin/master for release.json and uses that as a base to do the release
• streamline evergreen.yml and remove matrix builds/releases
• streamline agent builds on pipeline.py

Evergreen configuration cleanup and simplification:

• Removed obsolete tasks and buildvariants related to agent image releases, such as release_agent_operator_release, release_agents_on_ecr_conditional, and init_release_agents_on_ecr, to streamline the release process.

Pipeline logic refactoring:

• Refactored the build_agent_default_case function in pipeline.py to use the new detect_ops_manager_changes function for determining which agent versions to build, and eliminated the separate build_agent_on_agent_bump logic.
• Simplified agent in pipeline.py to match atomic_pipeline.py
• Updated the image builder function mapping so that both "agent" and "agent-pct" use the unified build_agent_default_case function.

Proof of Work

• no agent needed to be released - patch: Link

[2025/08/14 10:56:13.642] === Detecting OM Mapping Changes (Local vs Base) ===
[2025/08/14 10:56:13.643] INFO     2025-08-14 08:56:13,642 [atomic_pipeline]  No changes detected, skipping agent build
[2025/08/14 10:56:13.725] Finished command 'subprocess.exec' in function 'pipeline' (step 3.5 of 3) in 4.209554597s.

• manual changing release.json (the changeset, its a manual rsynced patch), leading to an agent release/build. Note; the task is not passing because I am releasing a non existant image -Link

[2025/08/14 17:42:50.558] INFO     2025-08-14 15:42:50,558 [atomic_pipeline]  ======= Agent versions to build [('13.30.0.9590-1', '100.12.2')] =======
[2025/08/14 17:42:50.558] INFO     2025-08-14 15:42:50,558 [atomic_pipeline]  ======= Building Agent ('13.30.0.9590-

• cm bump worked with this changeset link + the related patch
  • this caused in init_test_run agent build to release the agent to ecr as release.json has changed

[2025/08/14 13:59:35.068] === Detecting OM Mapping Changes (Local vs Base) ===

[2025/08/14 13:59:35.068] INFO     2025-08-14 11:59:35,067 [atomic_pipeline]  Building Agent versions: [('13.38.0.9654-1', '100.12.2')]

[2025/08/14 13:59:35.068] INFO     2025-08-14 11:59:35,068 [atomic_pipeline]  Running with factor of None

[2025/08/14 13:59:35.068] INFO     2025-08-14 11:59:35,068 [atomic_pipeline]  ======= Agent versions to build [('13.38.0.9654-1', '100.12.2')] =======

[2025/08/14 13:59:35.068] INFO     2025-08-14 11:59:35,068 [atomic_pipeline]  ======= Building Agent ('13.38.0.9654-1', '100.12.2') (0/1)

• we have a dedicated variant that can also release all agents: link

Example Cases

A new OM/CM bump workflow

• publish_om/cm and release_agent variants are getting triggered
• detection script detects a change in release.json
• release the new agent

Checklist

• Have you linked a jira ticket and/or is the ticket in the title?
• Have you checked whether your jira ticket required DOCSP changes?
• Have you added changelog file?
  • use skip-changelog label if not needed
  • refer to Changelog files and Release Notes section in CONTRIBUTING.md for more details

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.3.0 Release Notes

Bug Fixes

• This change fixes the current complex and difficult-to-maintain architecture for stateful set containers, which relies on an "agent matrix" to map operator and agent versions which led to a sheer amount of images.
• We solve this by shifting to a 3-container setup. This new design eliminates the need for the operator-version/agent-version matrix by adding one additional container containing all required binaries. This architecture maps to what we already do with the mongodb-database container.
• Fixed an issue where the readiness probe reported the node as ready even when its authentication mechanism was not in sync with the other nodes, potentially causing premature restarts.

Other Changes

• Optional permissions for PersistentVolumeClaim moved to a separate role. When managing the operator with Helm it is possible to disable permissions for PersistentVolumeClaim resources by setting operator.enablePVCResize value to false (true by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role.
• subresourceEnabled Helm value was removed. This setting used to be true by default and made it possible to exclude subresource permissions from the operator role by specifying false as the value. We are removing this configuration option, making the operator roles always have subresource permissions. This setting was introduced as a temporary solution for this OpenShift issue. The issue has since been resolved and the setting is no longer needed.

[nammn]

we still use all run this on every patch, the script just checks whether its required and potentially skips it then if there are no changes.

Why still run it?
On CM and OM bump prs we still need the agent in ecr first. This ensures we build it to ecr first

[nammn]

defaults to false

[nammn]

all_agents expansion is empty, but in the manual release agents on ecr variant it will be set to --all-agents

[MaciejKaras]

this should be in scripts/release/tests otherwise it is not run in CI. @mircea-cosbuc knows more about it

[MaciejKaras]

maybe we should move scripts/release/tests to scripts/tests/release?

so this test would go to scripts/tests

[nammn]

it is though 😕
https://spruce.mongodb.com/task/mongodb_kubernetes_unit_tests_unit_tests_python_patch_f0df6f42547f5602c5c4ab120d1d7e3d0db05797_689deba0420e560007c79dab_25_08_14_13_58_58/logs?execution=0

[MaciejKaras]

are we still using the legacy pipeline anywhere for agents?

[nammn]

maybe - right now i want things to be consistent

[mircea-cosbuc]

I think this still needs answering. Since you're changing the image build for the agent there should be a decision on whether moving to atomic pipeline is happening. The title and the description of the PR imply that we're getting rid of pipeline.py .

[nammn]

yes i was unclear. What I meant is - we should move to atomic_pipeline to make sure we are not changing 2 files at the same time (for the release as well as for patches).

Due to this reasons I've made pipeline.py and atomic_pipeline.py agent handling the same to not have that edge-case that we overlook something and still call pipeline.py

we plan to migrate to atomic for releases: #344

[MaciejKaras]

but that PR does not touch agent images at all.

If we are in fact moving away from agent image building in legacy pipeline code, we should not make changes to it or remove redundant code completely

[nammn]

the problem now is that we have duplicated code in pipeline and atomic.

one is for releasing and one for patches but for agent releases both are the same duplicated code. I think its better to just use atomic with scenarion release 937e953. If you strongly disagree i can move back to pipeline and have them duplicated

[mircea-cosbuc]

I think this still needs answering. Since you're changing the image build for the agent there should be a decision on whether moving to atomic pipeline is happening. The title and the description of the PR imply that we're getting rid of pipeline.py .

[nammn]

this is cherry-picked from https://github.com/mongodb/mongodb-kubernetes/pull/344/files#diff-ad8722e626fc7bc08be6765b8268550446b1fb934c1a7eb6a5766d6446f92ad1 and i need to use this for the agent. We can merge either and I can fix the merge conflict - but this ensures we will get the correct merge either way

[nammn]

my change here is to make version optional, but this is hacky and we should make it properly for om and the agent in a next step https://jira.mongodb.org/browse/CLOUDP-338152

[anandsyncs]

Why don't we use a logger in this file?

[anandsyncs]

Would it make sense to properly log these exceptions?

[anandsyncs]

LGTM!
No blocking issues from my side.
Only some comments about logging.