{"level":"info","ts":"2026-06-11T17:25:01.234Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:02.238Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","Limitador","ConfigMap","AuthPolicy"],"eventTypes":{"update":30}}
{"level":"info","ts":"2026-06-11T17:25:02.247Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:02.326Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:02.336Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:02.430Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:02.430Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:02.430Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:02.534Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:02.534Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:02.534Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:02.534Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:02.631Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:02.891Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:02.933Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:03.529Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","AuthPolicy","Limitador"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T17:25:03.540Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:03.542Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:03.626Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:03.626Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:03.629Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:03.630Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:03.632Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:03.632Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:03.632Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:03.632Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:03.735Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:04.058Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:04.133Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:05.032Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","ConfigMap"],"eventTypes":{"update":2}}
{"level":"info","ts":"2026-06-11T17:25:05.131Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:05.131Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:05.131Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:07.336Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","AuthPolicy"],"eventTypes":{"update":29}}
{"level":"info","ts":"2026-06-11T17:25:07.436Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:07.438Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:07.438Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:13.327Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy","AuthPolicy"],"eventTypes":{"create":1,"update":2}}
{"level":"info","ts":"2026-06-11T17:25:13.429Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:13.433Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:13.433Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:13.433Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:13.435Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:25:13.527Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:15.028Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","ConfigMap","Limitador","TokenRateLimitPolicy","WasmPlugin"],"eventTypes":{"update":7}}
{"level":"info","ts":"2026-06-11T17:25:15.056Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:15.127Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:15.225Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:15.225Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:15.229Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:15.231Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:15.231Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:15.234Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:15.234Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:15.326Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:15.329Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:15.658Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:15.736Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:16.336Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","ConfigMap"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T17:25:16.348Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:16.350Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:16.428Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:16.428Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:16.430Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:16.432Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:16.433Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:16.433Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:16.430Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:16.433Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:16.760Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:16.834Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:22.030Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T17:25:22.128Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:22.128Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:22.132Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:22.134Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:25:22.145Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:23.528Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy","Limitador","WasmPlugin","ConfigMap","HTTPRoute"],"eventTypes":{"update":7}}
{"level":"info","ts":"2026-06-11T17:25:23.538Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:23.540Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:23.626Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:23.626Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:23.633Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:23.636Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:23.637Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:23.637Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:23.732Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:23.732Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:23.734Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:24.646Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:24.830Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:25.831Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","Limitador","TokenRateLimitPolicy","AuthPolicy","ConfigMap"],"eventTypes":{"update":32}}
{"level":"info","ts":"2026-06-11T17:25:25.845Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:25.847Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:25.929Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:25.929Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:25.931Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:25.931Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:25.931Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:26.025Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:26.030Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:26.030Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:26.131Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:26.434Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:26.443Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:31.332Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","Gateway","TokenRateLimitPolicy","HTTPRoute","ConfigMap"],"eventTypes":{"create":2,"update":3}}
{"level":"info","ts":"2026-06-11T17:25:31.434Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:31.525Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:31.530Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:25:31.633Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:31.633Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:31.633Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:31.635Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:32.929Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:33.026Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:33.047Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy"],"eventTypes":{"update":1}}
{"level":"info","ts":"2026-06-11T17:25:33.432Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:33.432Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:33.432Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"error","ts":"2026-06-11T17:25:33.528Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"50820","uid":"d6f87c52-b0d6-42d6-88fd-f3a54f441286"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:47Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:47Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.540Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:53Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"50810","uid":"a5a30874-017d-4e86-aae5-703b876f7803"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.639Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:57Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"50829","uid":"22f9b3a4-73eb-4844-b1cb-9d7df4da6bd7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.727Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0\" already exists"}
{"level":"error","ts":"2026-06-11T17:25:33.744Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"50827","uid":"ef5d5577-6019-4b17-9999-fbe3768e1e14"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.745Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-11T16:57:55Z","generation":197,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"e4292447-26d8-4b6e-b3b5-b11c82a7b09c\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:22Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"e4292447-26d8-4b6e-b3b5-b11c82a7b09c"}],"resourceVersion":"50775","uid":"347d8804-e219-4cc0-9aad-f1e751fbe198"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"afd72b879aabf95e5d9faf2fed7556101fb799e1aa18930003a369cab2e1d52c","routeRuleConditions":{"hostnames":["keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4b77f64765a45c34fc0c46ec3eb3fefd5099ba53f484e065861ce52ebf0e58e3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-external-model')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-external-model","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"2353fe625a0d4b76d877c4b87e1bf058d72d76bda7fbcbb6113dc93cea20b10f","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/')","request.headers.exists(h, h.lowerAscii() == 'x-gateway-model-name' && request.headers[h] == 'gpt-3.5-turbo')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.754Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:53Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"50822","uid":"62673de3-881d-4bed-9771-9adfa1692c23"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.776Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:54Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"50824","uid":"c23b8a65-0998-4698-83b4-f3dddde31206"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:54Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:54Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.798Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:23Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"50794","uid":"57a0b574-1f9e-41c3-b8d6-3591771af695"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.813Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:30Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"50833","uid":"cbd6634a-374a-45f7-9247-a73269cc5b4c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.828Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-external-model","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-external-model#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11\" already exists"}
{"level":"error","ts":"2026-06-11T17:25:33.840Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"50819","uid":"895d0410-776f-418f-ac5b-2554ad990c04"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.856Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"50812","uid":"2aa2ebb9-857f-409d-9d66-d0087d6f5f6b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:41Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:41Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.872Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:57Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"50823","uid":"6ecb79de-3cb4-4fc9-b651-a3dfa1d5e5b3"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.888Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:58Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:23Z"}],"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system","resourceVersion":"50804","uid":"421570fa-dde0-4d73-9d9b-e01c0ce497de"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:58Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:58Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.899Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"50831","uid":"23206013-8b4e-44a9-b78d-05d6ab65ba88"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:06Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:06Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.911Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:00Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"50828","uid":"99386432-3901-4fa7-9faf-c9098b3a03f7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.927Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:00Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"50826","uid":"b311c820-1467-4e26-9ac4-35e185f93783"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.942Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:24Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"50809","uid":"7f32b38c-37a2-4dbe-af28-fef70a53dc08"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.957Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:00Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"50814","uid":"b932b55d-9332-46de-a9a8-8dd659244c2d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.970Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"50836","uid":"ecc2969d-4eeb-434d-9204-a0d3b78fbcca"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:33.987Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:24Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"50813","uid":"90eb19e5-458e-49c9-9a2a-4a2c51dbee4b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.003Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:57Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"50834","uid":"f55c0107-475c-4897-a881-07ba67929237"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.017Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:33Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"50818","uid":"fd446f1e-ad0e-4573-a44e-df783209ca69"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:33Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:33Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.032Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"50816","uid":"62f08c3c-bb66-412e-a791-912e6efa7e4d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:41Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:41Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.048Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"50835","uid":"604fb85f-5467-416d-9535-72aa9d229bf5"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.067Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:13Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"50821","uid":"7b47f121-8973-4bea-89f8-b74a61398c61"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:13Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:13Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.087Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"50830","uid":"16d0ee96-15e0-4c0e-bb44-24881268d9c3"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.105Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system","resourceVersion":"50817","uid":"753e6d00-3df8-4f28-b95b-86c88d9a8687"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.116Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":68,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:21Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:24Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"50832","uid":"cfe078bc-b788-4ce6-b30f-46d1900a10ea"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/e2e-external-model\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:21Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:21Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.137Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:25:34.149Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-external-model","namespace":"llm","uid":"04e042f9-aa46-4b66-912b-49ddbe8b57c0","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-external-model\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:25:35.432Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","Limitador","TokenRateLimitPolicy","ConfigMap","WasmPlugin","HTTPRoute"],"eventTypes":{"create":2,"update":35}}
{"level":"info","ts":"2026-06-11T17:25:35.445Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:35.447Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:35.528Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:35.528Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:35.533Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:35.536Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:35.627Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:35.627Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:35.631Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:35.631Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:35.830Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:36.064Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"error","ts":"2026-06-11T17:25:36.126Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:25:36.133Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:36.233Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}}
{"level":"error","ts":"2026-06-11T17:25:36.545Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:25:37.734Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","Gateway","Limitador","AuthPolicy","HTTPRoute"],"eventTypes":{"create":1,"update":7}}
{"level":"info","ts":"2026-06-11T17:25:37.825Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:37.827Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:37.928Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:37.928Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:37.937Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:38.025Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:38.025Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:38.025Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:38.028Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:25:38.126Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:38.127Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:38.938Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:38.948Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:40.231Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy","AuthConfig","ConfigMap","Limitador","HTTPRoute","WasmPlugin"],"eventTypes":{"create":2,"update":8}}
{"level":"info","ts":"2026-06-11T17:25:40.241Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:40.244Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:40.426Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:40.426Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:40.528Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:40.528Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:40.529Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:40.532Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:40.728Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:40.728Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:40.732Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:41.069Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:41.230Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:41.932Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","Limitador","ConfigMap","AuthPolicy"],"eventTypes":{"update":6}}
{"level":"info","ts":"2026-06-11T17:25:41.942Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:41.945Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:25:42.128Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:25:42.128Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:42.231Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:42.231Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:42.231Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:42.325Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:42.328Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:25:42.328Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:25:42.330Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:25:42.737Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:25:42.831Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:01.026Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap","HTTPRoute"],"eventTypes":{"delete":1,"update":2}}
{"level":"info","ts":"2026-06-11T17:26:01.129Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:01.133Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:01.134Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:26:01.232Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:01.332Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:01.332Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:01.429Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:01.838Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:01.930Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:03.228Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","WasmPlugin","TokenRateLimitPolicy","Limitador","AuthConfig"],"eventTypes":{"delete":2,"update":6}}
{"level":"info","ts":"2026-06-11T17:26:03.242Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:03.327Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:26:03.338Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:03.427Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:03.427Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:03.429Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:03.429Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:03.432Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:26:03.432Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:03.527Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:03.841Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:03.931Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:04.526Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","ConfigMap"],"eventTypes":{"update":5}}
{"level":"info","ts":"2026-06-11T17:26:04.537Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:04.539Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:26:04.629Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:26:04.629Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:04.630Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:04.632Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:04.632Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:04.632Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:04.632Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:04.636Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:05.045Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:05.135Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:13.431Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway","TokenRateLimitPolicy"],"eventTypes":{"delete":1,"update":2}}
{"level":"info","ts":"2026-06-11T17:26:13.635Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:13.725Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:13.728Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:26:13.728Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:13.728Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:13.734Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:13.827Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:15.149Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:15.429Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:15.534Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","HTTPRoute"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T17:26:15.825Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:15.830Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"}
{"level":"info","ts":"2026-06-11T17:26:15.832Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:15.835Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:15.825Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:15.835Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"error","ts":"2026-06-11T17:26:15.928Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:26:15.928Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"error","ts":"2026-06-11T17:26:15.928Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:31Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"50935","uid":"2aa2ebb9-857f-409d-9d66-d0087d6f5f6b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:41Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:41Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.125Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:58Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system","resourceVersion":"50961","uid":"421570fa-dde0-4d73-9d9b-e01c0ce497de"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:58Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:58Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.141Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:21Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"50976","uid":"cfe078bc-b788-4ce6-b30f-46d1900a10ea"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:21Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:21Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.225Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:00Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"50966","uid":"b932b55d-9332-46de-a9a8-8dd659244c2d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.240Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"50965","uid":"16d0ee96-15e0-4c0e-bb44-24881268d9c3"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.250Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:57Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:31Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"50944","uid":"6ecb79de-3cb4-4fc9-b651-a3dfa1d5e5b3"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:57Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.262Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:13Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"50974","uid":"7b47f121-8973-4bea-89f8-b74a61398c61"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:13Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:13Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.250Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-11T16:57:55Z","generation":200,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"e4292447-26d8-4b6e-b3b5-b11c82a7b09c\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:26:01Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"e4292447-26d8-4b6e-b3b5-b11c82a7b09c"}],"resourceVersion":"51357","uid":"347d8804-e219-4cc0-9aad-f1e751fbe198"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"afd72b879aabf95e5d9faf2fed7556101fb799e1aa18930003a369cab2e1d52c","routeRuleConditions":{"hostnames":["keycloak.apps.fb1fb2b1-e37d-43bb-a447-4e1b046d7a89.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"bb22e883980a995d5381ec6dc068eac7dad6f44ad8c6c494bac8d0db9e9c5f06","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"d6a603a23a707d5ecfe0c23a03ae7cb2d64110e9c11b50e0b3dde829d2f55ff5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"4a34c3f151697e84771d86a0b439e98df2ae85d6df00ad199643ca39bc386d02","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"ae28cf21965c95af7482715f2e1e23d83fa238c0e2649c5166c873e33b10d543","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"a2c1bbd8109bc5cbf6f3b5429e278eaaacf98a35a57d014f1fd5783255cdf122","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"1271bf2a1fb72c512e7752f10847edbe9fef443c3d6e4783341d7aa721f423b0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_premium_simulator_subscription_premium_simulated_simulated_premium_tokens__a2a80825","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/premium-simulator-subscription@llm/premium-simulated-simulated-premium\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/premium-simulated-simulated-premium-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-premium-simulated-simulated-premium"]}],"name":"17c95243a9d9267db05df573212cf6769a2993b0f1d81c41c949e017251b7678","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/premium-simulated-simulated-premium')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.models_as_a_service_simulator_subscription_facebook_opt_125m_simulated_tokens__87db8427","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["auth.identity.selected_subscription_key == \"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated\" && !request.path.endsWith(\"/v1/models\")"]}],"scope":"llm/facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:llm/maas-trlp-facebook-opt-125m-simulated"]}],"name":"bbd718eb041215b024cc6391a723517d277cf6dafe222d110de0e5cf05c5a1d8","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.325Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:53Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"50970","uid":"a5a30874-017d-4e86-aae5-703b876f7803"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.336Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:33Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"50971","uid":"fd446f1e-ad0e-4573-a44e-df783209ca69"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:33Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:33Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.347Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"50958","uid":"895d0410-776f-418f-ac5b-2554ad990c04"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.359Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:30Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"50983","uid":"cbd6634a-374a-45f7-9247-a73269cc5b4c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.371Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:31Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:31Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"50934","uid":"f55c0107-475c-4897-a881-07ba67929237"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:31Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:31Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.383Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:54Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"50955","uid":"c23b8a65-0998-4698-83b4-f3dddde31206"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:54Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:54Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.393Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"50963","uid":"62f08c3c-bb66-412e-a791-912e6efa7e4d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:41Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:41Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.404Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:35Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:24Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:31Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"50927","uid":"90eb19e5-458e-49c9-9a2a-4a2c51dbee4b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.415Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:53Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"50975","uid":"62673de3-881d-4bed-9771-9adfa1692c23"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:53Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.425Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:34Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"50950","uid":"604fb85f-5467-416d-9535-72aa9d229bf5"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.435Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:24:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"50977","uid":"d6f87c52-b0d6-42d6-88fd-f3a54f441286"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:24:47Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:24:47Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.446Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"50972","uid":"ecc2969d-4eeb-434d-9204-a0d3b78fbcca"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.457Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"50981","uid":"23206013-8b4e-44a9-b78d-05d6ab65ba88"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:06Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:06Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.467Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"50969","uid":"57a0b574-1f9e-41c3-b8d6-3591771af695"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.477Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-11T17:02:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:23:23Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"50968","uid":"ef5d5577-6019-4b17-9999-fbe3768e1e14"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:23:23Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:23:23Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.486Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:54Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:31Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:32Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"50953","uid":"99386432-3901-4fa7-9faf-c9098b3a03f7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:32Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:32Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.496Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":"2026-06-11T17:00:49Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:05Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system","resourceVersion":"50978","uid":"753e6d00-3df8-4f28-b95b-86c88d9a8687"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:05Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.507Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:29Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:00Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"50980","uid":"b311c820-1467-4e26-9ac4-35e185f93783"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:00Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.520Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:34Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"51057","uid":"22f9b3a4-73eb-4844-b1cb-9d7df4da6bd7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:34Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:34Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.530Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-11T17:01:06Z","generation":69,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-11T17:25:24Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-11T17:25:32Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"50947","uid":"7f32b38c-37a2-4dbe-af28-fef70a53dc08"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n  \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n  \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n  \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n  \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? '[\"system:authenticated\",\"' + auth.identity.groups.join('\",\"') + '\"]' : '[\"' + auth.identity.user.groups.join('\",\"') + '\"]'","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-11T17:25:24Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.534Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to delete authconfig object","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0","error":"authconfigs.authorino.kuadrant.io \"3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0\" not found"}
{"level":"error","ts":"2026-06-11T17:26:16.537Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to delete authconfig object","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11","error":"authconfigs.authorino.kuadrant.io \"2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11\" not found"}
{"level":"error","ts":"2026-06-11T17:26:16.546Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-facebook-opt-125m-simulated","namespace":"llm","uid":"88c326b6-2206-431f-b405-b60bd6226292","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-facebook-opt-125m-simulated\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.553Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"error","ts":"2026-06-11T17:26:16.562Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"maas-trlp-premium-simulated-simulated-premium","namespace":"llm","uid":"a2f315d0-a5f3-4f16-a7fb-1ac5ed75ed44","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"maas-trlp-premium-simulated-simulated-premium\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:26:16.562Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:16.632Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:17.826Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","TokenRateLimitPolicy","Gateway","WasmPlugin","AuthPolicy","ConfigMap","Limitador"],"eventTypes":{"create":1,"delete":2,"update":33}}
{"level":"info","ts":"2026-06-11T17:26:17.840Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:17.842Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:26:17.926Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:26:17.926Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:17.933Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:18.025Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:18.029Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:18.029Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:18.030Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:18.030Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:18.230Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:18.459Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:18.530Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"error","ts":"2026-06-11T17:26:18.530Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"e2e-ait-6eda0e59","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"e2e-ait-6eda0e59\": the object has been modified; please apply your changes to the latest version and try again"}
{"level":"info","ts":"2026-06-11T17:26:19.533Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","TokenRateLimitPolicy","AuthPolicy","Gateway","Limitador"],"eventTypes":{"update":6}}
{"level":"info","ts":"2026-06-11T17:26:19.633Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:19.635Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"}
{"level":"info","ts":"2026-06-11T17:26:19.727Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"}
{"level":"info","ts":"2026-06-11T17:26:19.727Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:19.736Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:19.829Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:19.829Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:19.831Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:19.932Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:20.029Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:20.029Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:20.349Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:20.427Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:21.431Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T17:26:21.632Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:21.632Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:21.634Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:21.634Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:21.634Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:21.634Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:21.729Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:22.050Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:22.127Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:29.037Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","ConfigMap"],"eventTypes":{"create":1,"update":1}}
{"level":"info","ts":"2026-06-11T17:26:29.136Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:29.327Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:29.330Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:29.331Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:29.331Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:29.332Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:29.332Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:29.636Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:29.828Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:29.857Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}}
{"level":"info","ts":"2026-06-11T17:26:30.030Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:30.032Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:30.032Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:30.036Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:30.129Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:30.132Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:30.132Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:30.543Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:30.552Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:31.630Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"update":2}}
{"level":"info","ts":"2026-06-11T17:26:31.830Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:31.832Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:31.832Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:31.832Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:31.836Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:31.836Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:31.931Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:32.255Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:32.327Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:35.533Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway"],"eventTypes":{"delete":1,"update":1}}
{"level":"info","ts":"2026-06-11T17:26:35.631Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:35.633Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:35.638Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"}
{"level":"info","ts":"2026-06-11T17:26:35.638Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:35.733Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"}
{"level":"info","ts":"2026-06-11T17:26:35.733Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:35.733Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"}
{"level":"info","ts":"2026-06-11T17:26:36.125Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"}
{"level":"info","ts":"2026-06-11T17:26:36.134Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}