self = <test_tenant_health.TestTenantManagedResources object at 0x7fbbede471c0> kind = 'authpolicy.kuadrant.io', min_count = 1 @pytest.mark.parametrize("kind,min_count", [ ("httproute.gateway.networking.k8s.io", 1), ("authpolicy.kuadrant.io", 1), ]) def test_networking_resources_exist(self, kind, min_count): """Gateway API and policy resources must exist.""" items = _list_resources_by_label(kind, namespace=DEPLOYMENT_NAMESPACE) assert items is not None, f"Resource type '{kind}' not available on cluster" names = [item["metadata"]["name"] for item in items] > assert len(items) >= min_count, ( f"Expected >= {min_count} {kind}(s) with label {TENANT_LABEL_SELECTOR} " f"in namespace {DEPLOYMENT_NAMESPACE}, found {len(items)}: {names}" ) E AssertionError: Expected >= 1 authpolicy.kuadrant.io(s) with label maas.opendatahub.io/tenant-name=default-tenant in namespace opendatahub, found 0: [] E assert 0 >= 1 E + where 0 = len([]) test/e2e/tests/test_tenant_health.py:210: AssertionError/workspace/source/test/e2e/tests/test_tenant_health.py:248: CRD persesdashboards.perses.dev not registered on cluster/workspace/source/test/e2e/tests/test_tenant_health.py:248: CRD persesdatasources.perses.dev not registered on clusterself = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7fbbede10fa0> def test_reject_key_for_unreconciled_subscription(self): """ API key creation is rejected for unreconciled subscription (empty phase). Note: Temporarily sets webhook failurePolicy to Ignore to allow creating resources while controller is down, then restores to Fail. """ ns = _ns() subscription_name = "e2e-apikey-unreconciled-sub" auth_name = "e2e-apikey-unreconciled-auth" sa_name = "e2e-apikey-unreconciled-sa" webhook_name = "maas-validating-webhook-configuration" try: # Create service account and get token oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) # Temporarily set webhook failurePolicy to Ignore # This allows creates to succeed when controller/webhook is unavailable # Find webhook indices dynamically by name to avoid brittleness result = subprocess.run( ["oc", "get", "validatingwebhookconfiguration", webhook_name, "-o", "json"], capture_output=True, text=True, check=True ) webhook_config = json.loads(result.stdout) patch_ops = [] for idx, webhook in enumerate(webhook_config.get("webhooks", [])): if webhook.get("name") in ["vmaassubscription.kb.io", "vmaasauthpolicy.kb.io"]: patch_ops.append({"op": "replace", "path": f"/webhooks/{idx}/failurePolicy", "value": "Ignore"}) subprocess.run( ["oc", "patch", "validatingwebhookconfiguration", webhook_name, "--type=json", "-p", json.dumps(patch_ops)], capture_output=True, text=True, check=True ) # Scale down controller to prevent reconciliation _scale_controller_down() # Create resources (webhook unavailable but Ignore policy allows creates) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) # Verify subscription is unreconciled (empty phase) cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase", "") assert phase == "", f"Expected empty phase, got: {phase}" log.info("✅ Subscription is unreconciled (empty phase)") # Try to create API key (should fail with 400) response = requests.post( f"{_maas_api_url()}/v1/api-keys", headers={ "Authorization": f"Bearer {oc_token}", "Content-Type": "application/json" }, json={ "name": "unreconciled-sub-test", "subscription": subscription_name }, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert response.status_code == 400, \ f"Expected 400 for unreconciled subscription, got {response.status_code}: {response.text}" E AssertionError: Expected 400 for unreconciled subscription, got 500: E assert 500 == 400 E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1408: AssertionErrorself = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7fbbede10cd0> api_keys_base_url = 'https://maas.apps.0a7dafb9-8933-4a90-9726-fb9f1b82a0e4.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjBOVGh1amItUVg2S01FbmREdlVJN29UVEMxdFZSQzBTQUZVRFpBcVhselkifQ.e...9arUtDqGze58VmPTtGXiDsas4HKZwBdj4Wjw8INLHESImizRhPF1d1rm2e4RDM4yCBK1kxs3iIWgqhAdg', 'Content-Type': 'application/json'} def test_search_filters_by_subscription(self, api_keys_base_url: str, headers: dict): """Search with subscription filter returns only keys bound to that subscription.""" sub_a = f"e2e-filter-sub-a-{os.urandom(4).hex()}" sub_b = f"e2e-filter-sub-b-{os.urandom(4).hex()}" ns = _ns() sa_name = f"e2e-filter-sa-{os.urandom(4).hex()}" key_ids_a = [] key_ids_b = [] try: # Create one SA authorized for both subscriptions so that # exclusion in search results is attributable to the subscription # filter, not user-scoping. oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) sa_headers = {"Authorization": f"Bearer {oc_token}", "Content-Type": "application/json"} _create_test_auth_policy(f"{sub_a}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_a, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_a, namespace=ns) _create_test_auth_policy(f"{sub_b}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_b, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_b, namespace=ns) # Create 2 keys bound to sub_a for i in range(2): r = requests.post( api_keys_base_url, headers=sa_headers, json={"name": f"e2e-filter-a-{i}", "subscription": sub_a}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key for {sub_a}: {r.text}" E AssertionError: Failed to create key for e2e-filter-sub-a-a82a6e59: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1510: AssertionErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7fbbede2dc10> def test_injected_identity_headers_ignored(self): """Client injects X-MaaS-Username/Group/Key-Id — platform ignores them. Validates that Authorino strips attacker-controlled identity headers. The request should succeed (200) using the real key-derived identity, proving the spoofed headers had no effect on authorization. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:83: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjBOVGh1amItUVg2S01FbmREdlVJN29UVEMxdFZSQzBTQUZVRFpBcVhselkifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...qq444HXlVfDkV0kD5YZ2uT5iKLxBAVXIqE9ih9arUtDqGze58VmPTtGXiDsas4HKZwBdj4Wjw8INLHESImizRhPF1d1rm2e4RDM4yCBK1kxs3iIWgqhAdg' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7fbbede2dcd0> def test_duplicate_subscription_headers_ignored(self): """Client sends multiple X-MaaS-Subscription headers — API key binding wins. For API key requests, the subscription is fixed at mint time. Duplicate or conflicting X-MaaS-Subscription headers must not override the key-derived subscription. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:108: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjBOVGh1amItUVg2S01FbmREdlVJN29UVEMxdFZSQzBTQUZVRFpBcVhselkifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...qq444HXlVfDkV0kD5YZ2uT5iKLxBAVXIqE9ih9arUtDqGze58VmPTtGXiDsas4HKZwBdj4Wjw8INLHESImizRhPF1d1rm2e4RDM4yCBK1kxs3iIWgqhAdg' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeError