apiVersion: extensions.istio.io/v1alpha1 kind: WasmPlugin metadata: creationTimestamp: "2026-06-11T12:44:19Z" generation: 3 labels: kuadrant.io/managed: "true" managedFields: - apiVersion: extensions.istio.io/v1alpha1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:kuadrant.io/managed: {} f:ownerReferences: .: {} k:{"uid":"324229d2-3e12-4e95-a730-208c26e82a97"}: {} f:spec: .: {} f:phase: {} f:pluginConfig: .: {} f:actionSets: {} f:services: .: {} f:auth-service: .: {} f:endpoint: {} f:failureMode: {} f:timeout: {} f:type: {} f:ratelimit-check-service: .: {} f:endpoint: {} f:failureMode: {} f:timeout: {} f:type: {} f:ratelimit-report-service: .: {} f:endpoint: {} f:failureMode: {} f:timeout: {} f:type: {} f:ratelimit-service: .: {} f:endpoint: {} f:failureMode: {} f:timeout: {} f:type: {} f:targetRefs: {} f:url: {} manager: manager operation: Update time: "2026-06-11T12:47:44Z" name: kuadrant-maas-default-gateway namespace: openshift-ingress ownerReferences: - apiVersion: gateway.networking.k8s.io/v1 blockOwnerDeletion: true controller: true kind: Gateway name: maas-default-gateway uid: 324229d2-3e12-4e95-a730-208c26e82a97 resourceVersion: "30338" uid: c8637ab0-6dc3-43e1-ab9a-1057e03a160f spec: phase: STATS pluginConfig: actionSets: - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: keycloak-system/keycloak-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: keycloak-system/keycloak-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 345d34d41d94d02644aaacb90b57245a3ce25d07ce10e16292fd2ab1440f9fac routeRuleConditions: hostnames: - keycloak.apps.12cf77bc-2131-40d0-ba17-1a351d128bfe.prod.konfluxeaas.com predicates: - request.url_path.startsWith('/') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-2-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-2-simulated') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: llm/e2e-distinct-simulated-kserve-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/llm/e2e-distinct-simulated') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: opendatahub/maas-api-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: opendatahub/maas-api-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: 4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/v1/models') - actions: - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: "0" predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: opendatahub/maas-api-route service: ratelimit-check-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny - conditionalData: - data: - expression: key: tokenlimit.deny_all_by_default__6d45535f value: "1" - expression: key: auth.identity.userid value: auth.identity.userid - expression: key: ratelimit.hits_addend value: responseBodyJSON("/usage/total_tokens") predicates: - '!request.path.startsWith("/maas-api") && !request.path.startsWith("/v1/models")' scope: opendatahub/maas-api-route service: ratelimit-report-service sources: - tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny name: a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5 routeRuleConditions: hostnames: - '*' predicates: - request.url_path.startsWith('/maas-api') services: auth-service: endpoint: kuadrant-auth-service failureMode: deny timeout: 200ms type: auth ratelimit-check-service: endpoint: kuadrant-ratelimit-service failureMode: deny timeout: 100ms type: ratelimit-check ratelimit-report-service: endpoint: kuadrant-ratelimit-service failureMode: deny timeout: 100ms type: ratelimit-report ratelimit-service: endpoint: kuadrant-ratelimit-service failureMode: allow timeout: 100ms type: ratelimit targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: maas-default-gateway url: quay.io/kuadrant/wasm-shim:v0.12.1