CLOUDP-389371: publish master-built images to quay staging

[lsierant]

Summary

Publish every master-built images to public quay.io/mongodb/staging repositories alongside our private ECR.

This enables installation of the operator directly from master builds. Keep note that the correct installation script should extract and apply crds from the OCI helm chart before installing the operator. This script is not part of this PR and will be added as a followup.

It is possible to trigger staging build from any branch/PR (see Proof of Work section).

In time we might decide to retire ECR repository entirely.

How to install operator from staging

operator_version="b770203f"
staging_registry="quay.io/mongodb/staging"
chart_oci="oci://quay.io/mongodb/staging/helm-charts/mongodb-kubernetes"
chart_version="0.0.0+${operator_version}"
helm upgrade --install mongodb-kubernetes-operator "${chart_oci}" \
  --version "${chart_version}" \
  --namespace "${NAMESPACE}" \
  --create-namespace \
  --set telemetry.enabled=false \
  --set registry.operator="${staging_registry}" \
  --set registry.database="${staging_registry}" \
  --set registry.initDatabase="${staging_registry}" \
  --set registry.initOpsManager="${staging_registry}" \
  --set registry.opsManager="${staging_registry}" \
  --set registry.agent="${staging_registry}" \
  --set registry.versionUpgradeHook="${staging_registry}" \
  --set registry.readinessProbe="${staging_registry}" \
  --set community.registry.agent="${staging_registry}" \
  --set operator.version="${operator_version}" \
  --set database.version="${operator_version}" \
  --set initDatabase.version="${operator_version}" \
  --set initOpsManager.version="${operator_version}" \
  --set agent.version="${operator_version}" \
  --set versionUpgradeHook.version="${operator_version}" \
  --set readinessProbe.version="${operator_version}" \
  --set community.agent.version="${operator_version}"

Proof of Work

Manual staging build triggered as

evergreen patch -p mongodb-kubernetes -v init_test_run -t all -d "search/multiple-mongot staging build" --param "BUILD_SCENARIO=staging" -f -y -u

evg link

For example, operator build from commit sha b770203f
published images into two registries:

[2026/03/13 22:14:04.305] #71 pushing manifest for 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes:b770203f@sha256:6b45e5b79c8cf767e692a591d1c9a168ee0deabbecce46d0bc74bc000afa8823
[2026/03/13 22:14:05.726] #71 pushing manifest for 268558157000.dkr.ecr.us-east-1.amazonaws.com/staging/mongodb-kubernetes:b770203f@sha256:6b45e5b79c8cf767e692a591d1c9a168ee0deabbecce46d0bc74bc000afa8823 1.4s done
[2026/03/13 22:14:05.933] #71 ...
[2026/03/13 22:14:05.934] #72 [auth] mongodb/staging/mongodb-kubernetes:pull,push token for quay.io
[2026/03/13 22:14:05.934] #72 DONE 0.0s
[2026/03/13 22:14:05.934] #71 exporting to image
[2026/03/13 22:14:13.205] #71 pushing layers 7.5s done
[2026/03/13 22:14:13.205] #71 pushing manifest for quay.io/mongodb/staging/mongodb-kubernetes:b770203f@sha256:6b45e5b79c8cf767e692a591d1c9a168ee0deabbecce46d0bc74bc000afa8823
[2026/03/13 22:14:17.012] #71 pushing manifest for quay.io/mongodb/staging/mongodb-kubernetes:b770203f@sha256:6b45e5b79c8cf767e692a591d1c9a168ee0deabbecce46d0bc74bc000afa8823 3.8s done

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.7.1 Release Notes

Bug Fixes

• MongoDBOpsManager: Correctly handle the edge case where -admin-key was created by user and malformed. Previously the error was only presented in DEBUG log entry.
• MongoDBOpsManager: Improved readiness probe error handling and appDB agent status logging

Other Changes

• Container images: Merged the init-database and init-appdb init container images into a single init-database image. The init-appdb image will no longer be published and does not affect existing deployments.
  • The following Helm chart values have been removed: initAppDb.name, initAppDb.version, and registry.initAppDb. Use initDatabase.name, initDatabase.version, and registry.initDatabase instead.
  • The following environment variables have been removed: INIT_APPDB_IMAGE_REPOSITORY and INIT_APPDB_VERSION. Use INIT_DATABASE_IMAGE_REPOSITORY and INIT_DATABASE_VERSION instead.
• Helm Chart: Removed operator.baseName Helm value. This value was never intended to be consumed by operator users and was never documented. The value controls the prefix for workload RBAC resource names (mongodb-kubernetes default), but changing it could break the operator and workloads because the operator is not aware of custom prefixes. With this change, the Helm chart will no longer allow customisation and the relevant resources will be deployed with predefined names (ServiceAccount with names mongodb-kubernetes-appdb, mongodb-kubernetes-database-pods, mongodb-kubernetes-ops-manager, Role with name mongodb-kubernetes-appdb and RoleBinding with name mongodb-kubernetes-appdb).

[MaciejKaras]

I think right now for logging in we only care about registry, the whole repository string is irrelevant.

What if we simplify this by using set() for uniqueness and map to registry from the beginning? Something like this?

registries = set([get_registry_host(repository) for repository in repositories])

for registry in registries:
    if registry == QUAY_REGISTRY:
        helm_registry_login_to_quay(registry)
    else:
        region = get_ecr_region(registry)
        helm_registry_login_to_ecr(registry, region)