Merge branch 'stable' into upgrade-fix

Aneri Thakkar · Aneri Thakkar · commit 0a248278aa31 · 2026-05-22T15:33:31.000+05:30
diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml
@@ -45,7 +45,7 @@ jobs:
           cat ${GITHUB_WORKSPACE}/src/mas/devops/__init__.py
           python -m pip install --upgrade pip
           pip install .[dev]
-          python -m pytest
+          python -m pytest -m "not openshift"
 
       # 3. Flake8 Linting
       # -------------------------------------------------------------------------------------------
diff --git a/src/mas/devops/pre_install.py b/src/mas/devops/pre_install.py
@@ -75,11 +75,6 @@ def _should_apply_preinstall_mas_rbac_file(fileName: str, permissionMode: str) -
     if not (lowerName.endswith(".yml") or lowerName.endswith(".yaml")):
         return False
 
-    # TODO: Sort out this openshift-ingress exception properly.
-    # For now, always apply this manifest in any permission mode.
-    if lowerName == "role-essential-core-entitymgr-suite-openshift-ingress.yaml":
-        return True
-
     if permissionMode == "cluster":
         return lowerName.startswith("cluster-role-")
 
@@ -137,10 +132,6 @@ def _discover_preinstall_mas_rbac_files(
     if not rbacRootDir:
         rbacRootDir = DEFAULT_PREINSTALL_MAS_RBAC_ROOT
 
-    # Due to ingresscontroller role we need to apply the preinstall RBAC for the minimal permission mode
-    # if permissionMode == "minimal":
-    #     return []
-
     selectedOperatorDirs = _get_selected_operator_dirs(selectedApps)
 
     sourceRoots = [
@@ -280,12 +271,22 @@ def applyPreInstallMASRBAC(
     if not rbacRootDir:
         rbacRootDir = DEFAULT_PREINSTALL_MAS_RBAC_ROOT
 
-    validatedApps = _validate_selected_apps(selectedApps)
-
-    if not validatedApps:
-        logger.info("No selected apps provided for pre-install MAS RBAC apply")
+    # Minimal mode - essential roles will be applied by each operator
+    if permissionMode == "minimal":
+        logger.info("Minimal permission mode - essential roles will be applied by each operator")
         return
 
+    # For cluster mode, use ibm-mas operator only (apps not required)
+    if permissionMode == "cluster":
+        validatedApps = {"core"}  # Use core which maps to ibm-mas operator
+        logger.info("Cluster permission mode - using ibm-mas operator only")
+    else:
+        # For namespaced mode, validate and use selected apps
+        validatedApps = _validate_selected_apps(selectedApps)
+        if not validatedApps:
+            logger.info("No selected apps provided for namespaced mode pre-install MAS RBAC apply")
+            return
+
     manifestFiles = _discover_preinstall_mas_rbac_files(
         rbacRootDir=rbacRootDir,
         masVersion=masVersion,
