{"level":"info","ts":"2026-06-13T00:41:13.388Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:13.389Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:13.389Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:13.400Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":1,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:40:21Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"25245","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:13.401Z","logger":"kuadrant-operator.IstioAuthClusterReconciler","msg":"failed to create envoyfilter object","gateway":"openshift-ingress/maas-default-gateway","envoyfilter":{"apiVersion":"networking.istio.io/v1alpha3","kind":"EnvoyFilter","metadata":{"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"kuadrant-auth-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}]},"spec":{"configPatches":[{"applyTo":"CLUSTER","match":{"cluster":{"service":"authorino-authorino-authorization.kuadrant-system.svc.cluster.local"}},"patch":{"operation":"ADD","value":{"connect_timeout":"1s","http2_protocol_options":{},"lb_policy":"ROUND_ROBIN","load_assignment":{"cluster_name":"kuadrant-auth-service","endpoints":[{"lb_endpoints":[{"endpoint":{"address":{"socket_address":{"address":"authorino-authorino-authorization.kuadrant-system.svc.cluster.local","port_value":50051}}}}]}]},"name":"kuadrant-auth-service","type":"STRICT_DNS"}}}],"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}]},"status":{}},"error":"envoyfilters.networking.istio.io \"kuadrant-auth-maas-default-gateway\" already exists"} {"level":"error","ts":"2026-06-13T00:41:13.402Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\" already exists"} {"level":"error","ts":"2026-06-13T00:41:13.414Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\" already exists"} {"level":"error","ts":"2026-06-13T00:41:13.426Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\" already exists"} {"level":"error","ts":"2026-06-13T00:41:13.434Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:13.440Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"keycloak-route","namespace":"keycloak-system","uid":"eb9104e0-096d-4fa3-8fe1-e3154a56240b","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"keycloak-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:13.478Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"maas-api-route","namespace":"opendatahub","uid":"e282df1c-ed72-4314-ada2-d0f35d8a0cd0","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"maas-api-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:13.483Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:13.901Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","HTTPRoute","Gateway","WasmPlugin","AuthPolicy","EnvoyFilter"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-13T00:41:13.912Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:13.913Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:13.913Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:13.913Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:13.982Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:13.982Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:13.982Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:13.999Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:14.000Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:14.088Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":2}} {"level":"error","ts":"2026-06-13T00:41:14.104Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:18.610Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap","AuthPolicy","HTTPRoute"],"eventTypes":{"create":1,"update":3}} {"level":"info","ts":"2026-06-13T00:41:18.619Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:18.620Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:18.620Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:18.622Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:18.622Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:18.678Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:18.679Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.081Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.083Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.190Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-13T00:41:19.199Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:19.199Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.199Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.278Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.278Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:19.278Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-13T00:41:19.282Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:19.282Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:19.289Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":2,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:13Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"26137","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:19.291Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\" already exists"} {"level":"error","ts":"2026-06-13T00:41:19.305Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\" already exists"} {"level":"error","ts":"2026-06-13T00:41:19.317Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\" already exists"} {"level":"error","ts":"2026-06-13T00:41:19.330Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\" already exists"} {"level":"error","ts":"2026-06-13T00:41:19.334Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"27718858-cd7f-490e-8c67-7d69a8f42ace","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:19.338Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:19.338Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.339Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:19.343Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-distinct-2-simulated-kserve-route","namespace":"llm","uid":"99e6a32c-8d31-4f33-b096-11e309b91c07","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-distinct-2-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:19.780Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","WasmPlugin","TokenRateLimitPolicy","HTTPRoute","Limitador","ConfigMap"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-13T00:41:19.787Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.787Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.789Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.791Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:19.795Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:19.795Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:19.892Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:19.895Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:20.104Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-13T00:41:20.182Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:20.182Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:20.184Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:20.184Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:20.184Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:20.186Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:20.186Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:20.186Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:20.187Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:20.187Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:20.278Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:20.292Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:20.294Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:34.582Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap","HTTPRoute"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-13T00:41:34.593Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:34.593Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:34.593Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:34.595Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:34.596Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:34.678Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:34.679Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:34.895Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:34.897Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:34.993Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-13T00:41:35.179Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:35.181Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:35.182Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:35.182Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:35.182Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:35.184Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-13T00:41:35.190Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:35.190Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:35.192Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\" already exists"} {"level":"error","ts":"2026-06-13T00:41:35.281Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\" already exists"} {"level":"error","ts":"2026-06-13T00:41:35.294Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":3,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:18Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"26277","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:35.296Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\" already exists"} {"level":"error","ts":"2026-06-13T00:41:35.309Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\" already exists"} {"level":"error","ts":"2026-06-13T00:41:35.315Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"27718858-cd7f-490e-8c67-7d69a8f42ace","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:35.387Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:35.387Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:35.390Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:35.392Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-distinct-simulated-kserve-route","namespace":"llm","uid":"7059d645-78eb-4cdb-9be9-7a3d081dc31e","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-distinct-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:36.178Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","AuthConfig","WasmPlugin","TokenRateLimitPolicy","Limitador","ConfigMap","HTTPRoute"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-13T00:41:36.193Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.194Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:36.199Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:36.200Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.200Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.202Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.280Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:36.280Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:36.280Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.280Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:36.280Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.395Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.398Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.880Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","Limitador","ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-13T00:41:36.889Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.890Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:36.895Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:36.895Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.896Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:36.896Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.896Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.898Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:36.899Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:36.899Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:36.901Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:37.089Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:37.094Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:44.183Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","HTTPRoute","ConfigMap"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-13T00:41:44.195Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:44.278Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:44.278Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:44.278Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:44.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:44.283Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:44.288Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:44.778Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:44.781Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:44.880Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-13T00:41:44.893Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:44.893Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:44.893Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:44.895Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:44.896Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:41:44.979Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-13T00:41:44.981Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\" already exists"} {"level":"error","ts":"2026-06-13T00:41:44.983Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:44.983Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-13T00:41:44.994Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\" already exists"} {"level":"error","ts":"2026-06-13T00:41:45.078Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\" already exists"} {"level":"error","ts":"2026-06-13T00:41:45.086Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":4,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:34Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"26546","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:45.090Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\" already exists"} {"level":"error","ts":"2026-06-13T00:41:45.095Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"27718858-cd7f-490e-8c67-7d69a8f42ace","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:41:45.100Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:45.100Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"error","ts":"2026-06-13T00:41:45.108Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-trlp-test-simulated-kserve-route","namespace":"llm","uid":"ec8f8659-25c7-4040-9266-0938228dfe59","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-trlp-test-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:45.179Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:46.205Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","AuthConfig","ConfigMap","Limitador","WasmPlugin","AuthPolicy","HTTPRoute"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-13T00:41:46.213Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:46.214Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:46.280Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:46.280Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:46.282Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:46.282Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:46.282Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:46.284Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:46.285Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:46.285Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:46.288Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:46.399Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:46.489Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:46.592Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}} {"level":"error","ts":"2026-06-13T00:41:46.691Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:41:46.983Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap","AuthPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-13T00:41:47.079Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:41:47.079Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:41:47.085Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:47.085Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:41:47.085Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:47.087Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:41:47.088Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:41:47.088Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:47.090Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:41:47.090Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:41:47.178Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:41:47.294Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:41:47.301Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:03.489Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway","HTTPRoute"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-13T00:42:03.582Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:03.583Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:03.583Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:03.586Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:03.778Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:03.780Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:42:03.878Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:04.094Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:04.098Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:04.191Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-13T00:42:04.279Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:04.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:04.280Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:42:04.280Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:04.280Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-13T00:42:04.284Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:04.284Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:04.285Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-13T00:42:04.291Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\" already exists"} {"level":"error","ts":"2026-06-13T00:42:04.378Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\" already exists"} {"level":"error","ts":"2026-06-13T00:42:04.478Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\" already exists"} {"level":"error","ts":"2026-06-13T00:42:04.485Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":5,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:44Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"26746","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:42:04.490Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\" already exists"} {"level":"error","ts":"2026-06-13T00:42:04.495Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"27718858-cd7f-490e-8c67-7d69a8f42ace","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:42:04.587Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:04.587Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:04.592Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-13T00:42:04.592Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","namespace":"llm","uid":"31d6da2a-404c-4a04-a7f0-5cc1620ccf73","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-unconfigured-facebook-opt-125m-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:05.419Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","WasmPlugin","AuthConfig","Limitador","HTTPRoute","ConfigMap","AuthPolicy"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-13T00:42:05.427Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:05.429Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:05.483Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:05.483Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:05.487Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:05.488Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:05.488Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:05.488Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:05.578Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:05.578Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:05.581Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:05.897Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:05.902Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:06.287Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","ConfigMap","AuthPolicy","TokenRateLimitPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-13T00:42:06.295Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:06.297Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:06.481Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:06.487Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:06.489Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:06.489Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:06.584Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:06.584Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:06.678Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:06.678Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:06.686Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:06.892Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"error","ts":"2026-06-13T00:42:06.900Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:06.979Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:07.785Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","HTTPRoute","ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"create":2,"update":2}} {"level":"info","ts":"2026-06-13T00:42:07.984Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:07.984Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:07.986Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:42:07.986Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:07.986Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:08.079Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:08.081Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:08.581Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:08.586Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:09.579Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","WasmPlugin","TokenRateLimitPolicy","ConfigMap","Limitador","AuthPolicy","HTTPRoute"],"eventTypes":{"create":4,"update":7}} {"level":"info","ts":"2026-06-13T00:42:09.588Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:09.589Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:09.689Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:09.689Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:09.782Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:09.782Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:09.782Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:09.786Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:09.880Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:09.880Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:09.880Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:09.994Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:10.080Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:10.185Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}} {"level":"error","ts":"2026-06-13T00:42:10.393Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:10.783Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy","Limitador","AuthPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-13T00:42:10.879Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:10.881Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:10.979Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:10.979Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:10.981Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:10.981Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:10.983Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:10.983Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:10.983Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:10.983Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:11.080Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:11.278Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:11.287Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:25.588Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","Gateway","TokenRateLimitPolicy","ConfigMap"],"eventTypes":{"create":2,"update":2}} {"level":"info","ts":"2026-06-13T00:42:25.790Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:25.878Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:25.880Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-13T00:42:25.881Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:25.881Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:25.886Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:25.978Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:26.584Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:26.591Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:26.689Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-13T00:42:26.784Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:26.784Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:26.786Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"error","ts":"2026-06-13T00:42:26.879Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:26.879Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-13T00:42:26.879Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\" already exists"} {"level":"info","ts":"2026-06-13T00:42:26.880Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:26.880Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:26.881Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-13T00:42:26.894Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\" already exists"} {"level":"error","ts":"2026-06-13T00:42:27.078Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\" already exists"} {"level":"error","ts":"2026-06-13T00:42:27.178Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\" already exists"} {"level":"error","ts":"2026-06-13T00:42:27.191Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-13T00:40:21Z","generation":7,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0776d36d-9011-4f5e-baa6-f9a796faaef4\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:08Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0776d36d-9011-4f5e-baa6-f9a796faaef4"}],"resourceVersion":"27231","uid":"3292fd96-bb48-4a70-9deb-faf0f25197d2"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"54905445f148149fd64fa99b85734bed42a36c6a8bb9d4f1c08d03b56222b71b","routeRuleConditions":{"hostnames":["keycloak.apps.28775f6d-2945-421c-b46a-73a882f34165.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:42:27.204Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"4d519fda-23c5-4b38-bab2-3c611eec5419","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:42:27.204Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:42:27.283Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"f4242421-2e8c-4a32-b49b-689a6d6c0361","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:27.283Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"error","ts":"2026-06-13T00:42:27.289Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"premium-simulated-simulated-premium-kserve-route","namespace":"llm","uid":"8913dbee-4207-4039-a7d5-cb48b9b213ef","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"premium-simulated-simulated-premium-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:42:27.290Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:28.479Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","AuthConfig","TokenRateLimitPolicy","Limitador","WasmPlugin","HTTPRoute","AuthPolicy"],"eventTypes":{"create":4,"update":7}} {"level":"info","ts":"2026-06-13T00:42:28.497Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:28.499Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:28.580Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:28.580Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:28.583Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:28.585Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:28.585Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:28.585Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:28.589Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:28.589Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:28.681Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:29.092Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:29.179Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:29.686Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap","AuthPolicy"],"eventTypes":{"update":5}} {"level":"info","ts":"2026-06-13T00:42:29.694Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-13T00:42:29.696Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-13T00:42:29.779Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-13T00:42:29.779Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:29.785Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:29.785Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:42:29.785Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:29.881Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:42:29.884Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-13T00:42:29.981Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-13T00:42:29.981Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-13T00:42:30.286Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:42:30.294Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:14.584Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Authorino"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-13T00:43:14.599Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:43:14.604Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-13T00:43:14.604Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:43:14.685Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:16.878Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","Authorino"],"eventTypes":{"update":12}} {"level":"info","ts":"2026-06-13T00:43:16.979Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-13T00:43:16.982Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:43:17.717Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:43:17.783Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:17.790Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy"],"eventTypes":{"update":19}} {"level":"info","ts":"2026-06-13T00:43:17.985Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:43:17.985Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:43:17.985Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-13T00:43:18.082Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:42:08Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:42:08Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:08Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"27226","uid":"20d88cfb-b24d-40f5-a725-c2a2e1d59473"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:42:08Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:42:08Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.178Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:41:18Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:18Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"28229","uid":"5cb95920-aac9-4ce6-935e-9a983b160e56"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.188Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:42:08Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:08Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"28163","uid":"7cecfb3e-6cfe-46d4-bbce-a3cead4499ef"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.285Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:41:44Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:41:44Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:44Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"26781","uid":"54d631ce-902d-4bd5-87b4-db01fe481df9"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:41:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:41:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.295Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":"2026-06-13T00:41:13Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:41:13Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:13Z"}],"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system","resourceVersion":"26170","uid":"40e5cbf7-4ea6-407c-a913-771a9cfa78cd"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:41:13Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:41:13Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.378Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:41:34Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"28157","uid":"6bf2ba24-a630-4d1d-9b0d-4721a0fbf73a"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.387Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:42:25Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:25Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"28231","uid":"164906d4-71f8-428c-85ba-518dc756985c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.397Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:42:03Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:03Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"28127","uid":"a067812a-20b0-4489-be28-c498bee2aeb1"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.406Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:41:34Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"28160","uid":"868087ea-3aa3-4f88-ab60-34265b631152"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.416Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:41:44Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:44Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"28221","uid":"5a3405a0-3068-4a0b-a215-3eef87c1c5f0"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.424Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:42:03Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:03Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"28170","uid":"dc9fe24d-9b1c-4cfd-8ab9-cf496454f3cf"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.434Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:42:25Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:25Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"28214","uid":"e94fddca-291d-45b6-ba52-a67b361a50e8"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.442Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:42:08Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:08Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"28168","uid":"d0002832-7532-42f4-b469-0e6271190883"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.450Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:41:18Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:18Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"28219","uid":"4611dd2f-c879-4686-a2b8-d6677b68ab31"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.457Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":"2026-06-13T00:41:13Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:13Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system","resourceVersion":"28182","uid":"c94c6775-6b4c-4154-baa5-cdd859876d22"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.464Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:41:18Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:18Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"28120","uid":"797cec6a-4c9f-4e06-9776-1ffcc492491d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.485Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:42:26Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:42:26Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:26Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"27532","uid":"ad1010ba-44fb-41f3-86ac-28dab82d760e"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:42:26Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:42:26Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.493Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:41:18Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:18Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"28172","uid":"9f52ba09-7560-4abf-b2bf-62a55ac159c1"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.500Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-13T00:41:13Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:13Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"28220","uid":"abdcd66e-06b4-47eb-a936-909549cd97d4"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.508Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:41:34Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"28224","uid":"a970c593-8318-42a3-b159-213bd08275f5"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.516Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:41:34Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"28166","uid":"f0b78973-400f-4298-ab14-8a2605838272"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.523Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:42:03Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:03Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"28232","uid":"21cdba61-235e-49f2-8b40-2794dee4e463"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.531Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:42:03Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:03Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"28216","uid":"7153ab0f-485c-49bc-8b18-ea4d04d5430c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.538Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-13T00:42:07Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:07Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:15Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"28222","uid":"e1d8c39d-b74a-4fd2-a072-a544a8948594"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:15Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.545Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-13T00:41:44Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:44Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:43:14Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"28124","uid":"64127081-08fa-473f-b481-3782a809e608"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:43:14Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.552Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-13T00:41:44Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:41:44Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:41:44Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"26752","uid":"57ee3769-f2ed-48f8-9a39-191a0dd8dc4d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:41:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:41:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.559Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-13T00:42:26Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-13T00:42:26Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Tenant-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-13T00:42:26Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"27524","uid":"3cecbd91-41d7-409a-ad05-9989ed74eaa8"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"expression":"size(auth.metadata.apiKeyValidation.groups) > 0 ? '[\"' + auth.metadata.apiKeyValidation.groups.join('\",\"') + '\"]' : '[]'","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Tenant":{"plain":{"selector":"auth.metadata.apiKeyValidation.tenant","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-13T00:42:26Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-13T00:42:26Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":8,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-13T00:43:18.587Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-13T00:43:19.582Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","ConfigMap","AuthConfig","Authorino"],"eventTypes":{"update":30}} {"level":"info","ts":"2026-06-13T00:43:19.680Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-13T00:43:19.788Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:43:19.878Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:43:19.878Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:20.003Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:43:20.084Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:20.790Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","Authorino","ConfigMap"],"eventTypes":{"update":3}} {"level":"info","ts":"2026-06-13T00:43:20.884Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-13T00:43:20.889Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-13T00:43:20.978Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-13T00:43:20.978Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-13T00:43:21.199Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-13T00:43:21.378Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}