{"level":"info","ts":"2026-06-10T17:17:41.351Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.351Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:17:41.351Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.352Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:17:41.356Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:17:41.356Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.364Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.365Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.382Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-10T17:17:41.390Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:17:41.390Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.390Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.391Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.391Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:17:41.391Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.391Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-10T17:17:41.397Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"a122c8a7-234e-445b-9958-e477c59dc9b7","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:17:41.397Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.398Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.513Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["TokenRateLimitPolicy","ConfigMap","Limitador"],"eventTypes":{"update":3}} {"level":"info","ts":"2026-06-10T17:17:41.520Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.521Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:17:41.521Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.521Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.522Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.522Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:17:41.522Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.522Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:17:41.526Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:17:41.526Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:17:41.529Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:17:41.530Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:33.417Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Authorino","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:20:33.423Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:33.433Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:33.433Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:33.434Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:33.531Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Authorino","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:20:33.539Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:33.545Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:33.545Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:33.546Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:35.037Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Authorino"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:20:35.046Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:35.055Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:35.055Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:35.056Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:35.157Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Authorino","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:20:35.163Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:35.168Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:35.168Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:35.169Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:36.380Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","ConfigMap"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-10T17:20:36.391Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:36.395Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:36.395Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:36.680Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-10T17:20:36.688Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:36.689Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:36.689Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-10T17:20:36.699Z","logger":"kuadrant-operator.IstioAuthClusterReconciler","msg":"failed to create envoyfilter object","gateway":"openshift-ingress/maas-default-gateway","envoyfilter":{"apiVersion":"networking.istio.io/v1alpha3","kind":"EnvoyFilter","metadata":{"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"kuadrant-auth-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0dfd1e63-8d0d-4773-b387-8b1377f733c6"}]},"spec":{"configPatches":[{"applyTo":"CLUSTER","match":{"cluster":{"service":"authorino-authorino-authorization.kuadrant-system.svc.cluster.local"}},"patch":{"operation":"ADD","value":{"connect_timeout":"1s","http2_protocol_options":{},"lb_policy":"ROUND_ROBIN","load_assignment":{"cluster_name":"kuadrant-auth-service","endpoints":[{"lb_endpoints":[{"endpoint":{"address":{"socket_address":{"address":"authorino-authorino-authorization.kuadrant-system.svc.cluster.local","port_value":50051}}}}]}]},"name":"kuadrant-auth-service","type":"STRICT_DNS"}}}],"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}]},"status":{}},"error":"envoyfilters.networking.istio.io \"kuadrant-auth-maas-default-gateway\" already exists"} {"level":"error","ts":"2026-06-10T17:20:36.699Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-10T17:17:40Z","generation":1,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0dfd1e63-8d0d-4773-b387-8b1377f733c6\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:17:40Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0dfd1e63-8d0d-4773-b387-8b1377f733c6"}],"resourceVersion":"24346","uid":"7e43e415-0c09-4783-848f-35f6edda3beb"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"c431c1714d9735d04f146bbff10991094079ae46e4383781dfc8b75f40ad2543","routeRuleConditions":{"hostnames":["keycloak.apps.237ca66e-29b3-49e4-9353-0fc21198d7a6.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:36.701Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\" already exists"} {"level":"error","ts":"2026-06-10T17:20:36.714Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\" already exists"} {"level":"error","ts":"2026-06-10T17:20:36.726Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\" already exists"} {"level":"error","ts":"2026-06-10T17:20:36.787Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:36.792Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"maas-api-route","namespace":"opendatahub","uid":"43337223-3595-4773-ad29-034efc5494e6","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"maas-api-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:36.793Z","logger":"kuadrant-operator.GatewayPolicyDiscoverabilityReconciler.reconcile","msg":"failed to update gateway status","gateway":"maas-default-gateway","error":"Operation cannot be fulfilled on gateways.gateway.networking.k8s.io \"maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:36.797Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"keycloak-route","namespace":"keycloak-system","uid":"270e16c4-7e43-42ce-86b9-ecb0b7ddd8a1","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"keycloak-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:20:37.151Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["WasmPlugin","HTTPRoute","AuthConfig","EnvoyFilter","AuthPolicy","ConfigMap","Gateway"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-10T17:20:37.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:37.279Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:37.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:20:37.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:37.280Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:37.280Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:37.282Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:37.301Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:37.379Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:40.912Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","HTTPRoute","ConfigMap"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-10T17:20:40.922Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:40.923Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:40.923Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:40.924Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:40.924Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:20:40.925Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:40.985Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.179Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.180Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.201Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-10T17:20:41.280Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:41.281Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.282Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:20:41.283Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.283Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"error","ts":"2026-06-10T17:20:41.290Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:20:41.290Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.378Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-10T17:20:41.379Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\" already exists"} {"level":"error","ts":"2026-06-10T17:20:41.379Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-10T17:17:40Z","generation":2,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0dfd1e63-8d0d-4773-b387-8b1377f733c6\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:36Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0dfd1e63-8d0d-4773-b387-8b1377f733c6"}],"resourceVersion":"26538","uid":"7e43e415-0c09-4783-848f-35f6edda3beb"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"c431c1714d9735d04f146bbff10991094079ae46e4383781dfc8b75f40ad2543","routeRuleConditions":{"hostnames":["keycloak.apps.237ca66e-29b3-49e4-9353-0fc21198d7a6.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:41.394Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\" already exists"} {"level":"error","ts":"2026-06-10T17:20:41.408Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\" already exists"} {"level":"error","ts":"2026-06-10T17:20:41.422Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\" already exists"} {"level":"error","ts":"2026-06-10T17:20:41.428Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"a122c8a7-234e-445b-9958-e477c59dc9b7","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:20:41.432Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:20:41.432Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.433Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-10T17:20:41.438Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-distinct-2-simulated-kserve-route","namespace":"llm","uid":"def20b23-0585-4c7f-92d5-bf61202568d4","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-distinct-2-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:20:41.910Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","ConfigMap","Limitador","AuthPolicy","HTTPRoute","TokenRateLimitPolicy","WasmPlugin"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-10T17:20:41.918Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.918Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:20:41.920Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:41.921Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.921Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.921Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.922Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:20:41.922Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.923Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:41.927Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:41.927Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:41.997Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:41.999Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:42.283Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Limitador","AuthPolicy","TokenRateLimitPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:20:42.291Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:20:42.292Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:20:42.293Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:42.294Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:42.295Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:42.295Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:42.295Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:20:42.295Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:42.296Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:42.298Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:42.298Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:42.394Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:42.397Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:47.320Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","Gateway","HTTPRoute"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-10T17:20:47.385Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:47.385Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:47.386Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:20:47.386Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:47.386Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:47.388Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:47.395Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:47.678Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:47.682Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.315Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","Limitador","AuthConfig","WasmPlugin","TokenRateLimitPolicy","AuthPolicy","ConfigMap"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-10T17:20:48.324Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.324Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:20:48.380Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:48.380Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.380Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:48.380Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.380Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.384Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.385Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:20:48.385Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.488Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:48.599Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.602Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.902Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","AuthPolicy","ConfigMap"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:20:48.912Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.912Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:20:48.915Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:48.916Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.916Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.978Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:20:48.979Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:20:48.979Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:48.979Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:20:48.980Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:20:48.980Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:20:49.004Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:20:49.085Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:05.984Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","ConfigMap","Gateway"],"eventTypes":{"create":1,"update":2}} {"level":"info","ts":"2026-06-10T17:21:06.078Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:06.079Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:06.081Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:06.081Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:06.087Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:06.181Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:06.182Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:06.578Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:06.583Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:07.483Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","WasmPlugin","HTTPRoute","TokenRateLimitPolicy","ConfigMap","Limitador","AuthPolicy"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-10T17:21:07.493Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:07.494Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:07.579Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:07.579Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:07.583Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:07.583Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:07.583Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:07.588Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:07.682Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:07.685Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:07.685Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:07.980Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:07.986Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:08.379Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","AuthPolicy","TokenRateLimitPolicy","ConfigMap"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:21:08.389Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:08.390Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:08.480Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:08.480Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:08.483Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:08.486Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:08.578Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:08.578Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:08.585Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:08.585Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:08.680Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:08.805Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:08.879Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:18.985Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","ConfigMap"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-10T17:21:19.080Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:19.082Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:19.082Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:19.082Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:19.083Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:19.086Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:19.179Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:19.602Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:19.687Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:19.784Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-10T17:21:19.883Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:19.884Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:19.884Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:19.886Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:19.887Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:19.978Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-10T17:21:19.980Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\" already exists"} {"level":"error","ts":"2026-06-10T17:21:19.981Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:19.981Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"error","ts":"2026-06-10T17:21:20.180Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\" already exists"} {"level":"error","ts":"2026-06-10T17:21:20.195Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\" already exists"} {"level":"error","ts":"2026-06-10T17:21:20.198Z","logger":"kuadrant-operator.IstioExtensionReconciler","msg":"failed to update wasmplugin object","gateway":"openshift-ingress/maas-default-gateway","wasmplugin":{"apiVersion":"extensions.istio.io/v1alpha1","kind":"WasmPlugin","metadata":{"creationTimestamp":"2026-06-10T17:17:40Z","generation":5,"labels":{"kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"extensions.istio.io/v1alpha1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kuadrant.io/managed":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"0dfd1e63-8d0d-4773-b387-8b1377f733c6\"}":{}}},"f:spec":{".":{},"f:phase":{},"f:pluginConfig":{".":{},"f:actionSets":{},"f:services":{".":{},"f:auth-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-check-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-report-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}},"f:ratelimit-service":{".":{},"f:endpoint":{},"f:failureMode":{},"f:timeout":{},"f:type":{}}}},"f:targetRefs":{},"f:url":{}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:06Z"}],"name":"kuadrant-maas-default-gateway","namespace":"openshift-ingress","ownerReferences":[{"apiVersion":"gateway.networking.k8s.io/v1","blockOwnerDeletion":true,"controller":true,"kind":"Gateway","name":"maas-default-gateway","uid":"0dfd1e63-8d0d-4773-b387-8b1377f733c6"}],"resourceVersion":"27112","uid":"7e43e415-0c09-4783-848f-35f6edda3beb"},"spec":{"phase":"STATS","pluginConfig":{"actionSets":[{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"keycloak-system/keycloak-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"c431c1714d9735d04f146bbff10991094079ae46e4383781dfc8b75f40ad2543","routeRuleConditions":{"hostnames":["keycloak.apps.237ca66e-29b3-49e4-9353-0fc21198d7a6.prod.konfluxeaas.com"],"predicates":["request.url_path.startsWith('/')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"0f9ab5b59d41deac660da2eb1d0a5f24e077e4a7cd14f339dcf52d28f04c7867","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"ca70359add5c6503be25edc73c4e1d1b9ecd52b90f1464f7b7fccc93f02ee1cd","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3df6dbaac7d8180af06df213797f77704246a929e55f73d207b164a095832f11","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a4672318dbe7de689ca987abd21f718491b5597266f1da5894f0e59c64eab549","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"29ba2d99e8547db550138417bc4dd1de1fe95f80c1a67235729f38ceb873fabe","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-unconfigured-facebook-opt-125m-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a6259e031deb01ee4da2bb151348f2ecb2911c3a028e205a1c3226b376eb2a2d","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"97baef229ab3877742037427f279d74d823fdac1d905b3adf54884f62cd6642a","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/chat/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d650c1afdfdf169b5610ad9111b60930f37156b615b0355f0d3daf7d6b652469","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"444ee84fa1d1c0b5811d9eb7e61197460aaa5e24874dce3000047afb78eedcb2","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"83911473fcf646d3aeb0ebfe2232465df1d92f3dfe24d732efb482fe88d2150c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"37d38d688f4881b6b6d78cf081dd62e7a0613d1931344fe9f5b636dd5d771db1","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/completions')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"93b69fcfc80e73da87822ba6be11bc487be511f4d38d4d911fd97a5b0e6cdfb7","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d0751135b15b5ff103c70e20d2f13f028c6451c15e5543d7a1975b13ee1f8149","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated/v1/responses')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-2-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"3f50162934b8442aa1c7d3fe0566b1a268651b5cfb43ca14790d4f6ae94e75b9","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-2-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-trlp-test-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"d9e0842efca62ec18863606db12ceebf38bbe9ef730da2630467ad9fc10100a0","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-trlp-test-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"llm/e2e-distinct-simulated-kserve-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"cbd0c2da2572a35cd3b4337f215f7ea87eb0fd2dab2d8b96a3633b802e944cf3","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/llm/e2e-distinct-simulated')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"4e3a9935f53cafcfbee4bb80c2454e50ff22a4c1f063faf817ee47efb8ddb24c","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/v1/models')"]}},{"actions":[{"predicates":["request.path != \"/maas-api/health\" || request.method != \"GET\""],"scope":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","service":"auth-service","sources":["authpolicy.kuadrant.io:openshift-ingress/maas-gateway-auth"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"0"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-check-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]},{"conditionalData":[{"data":[{"expression":{"key":"tokenlimit.deny_all_by_default__6d45535f","value":"1"}},{"expression":{"key":"auth.identity.userid","value":"auth.identity.userid"}},{"expression":{"key":"ratelimit.hits_addend","value":"responseBodyJSON(\"/usage/total_tokens\")"}}],"predicates":["!request.path.startsWith(\"/maas-api\") && !request.path.startsWith(\"/v1/models\")"]}],"scope":"opendatahub/maas-api-route","service":"ratelimit-report-service","sources":["tokenratelimitpolicy.kuadrant.io:openshift-ingress/gateway-default-deny"]}],"name":"a3b9575998c646156864a94928c2b4ddaf433e00217f7d5cdfb5e7bc96bee6b5","routeRuleConditions":{"hostnames":["*"],"predicates":["request.url_path.startsWith('/maas-api')"]}}],"services":{"auth-service":{"endpoint":"kuadrant-auth-service","failureMode":"deny","timeout":"200ms","type":"auth"},"ratelimit-check-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-check"},"ratelimit-report-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"deny","timeout":"100ms","type":"ratelimit-report"},"ratelimit-service":{"endpoint":"kuadrant-ratelimit-service","failureMode":"allow","timeout":"100ms","type":"ratelimit"}}},"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"maas-default-gateway"}],"url":"quay.io/kuadrant/wasm-shim:v0.12.1"},"status":{}},"error":"Operation cannot be fulfilled on wasmplugins.extensions.istio.io \"kuadrant-maas-default-gateway\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:21:20.210Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to create authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":null,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":null,\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"summary":{"festivalWristbandEnabled":false,"hostsReady":null,"numAuthorizationPolicies":0,"numHostsReady":"","numIdentitySources":0,"numMetadataSources":0,"numResponseItems":0,"ready":false}}},"error":"authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\" already exists"} {"level":"error","ts":"2026-06-10T17:21:20.285Z","logger":"kuadrant-operator.TokenRateLimitPolicyStatusUpdater","msg":"unable to update policy status","name":"gateway-default-deny","namespace":"openshift-ingress","uid":"a122c8a7-234e-445b-9958-e477c59dc9b7","error":"Operation cannot be fulfilled on tokenratelimitpolicies.kuadrant.io \"gateway-default-deny\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:21:20.291Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:20.291Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:20.296Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"error","ts":"2026-06-10T17:21:20.299Z","logger":"kuadrant-operator.HTTPRoutePolicyDiscoverabilityReconciler.reconcile","msg":"unable to update route status","name":"e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","namespace":"llm","uid":"aee114a2-8dda-4437-a6b0-913eec429b43","error":"Operation cannot be fulfilled on httproutes.gateway.networking.k8s.io \"e2e-unconfigured-facebook-opt-125m-simulated-kserve-route\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:21.621Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","AuthConfig","AuthPolicy","HTTPRoute","TokenRateLimitPolicy","ConfigMap","WasmPlugin"],"eventTypes":{"create":4,"update":6}} {"level":"info","ts":"2026-06-10T17:21:21.688Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:21.689Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:21.695Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:21.695Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:21.695Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:21.780Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:21.781Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:21.782Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:21.782Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:21.782Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:21.782Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:21.904Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:21.988Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:22.090Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}} {"level":"error","ts":"2026-06-10T17:21:22.291Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:22.588Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","TokenRateLimitPolicy","ConfigMap","AuthPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:21:22.598Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:22.599Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:22.782Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:22.782Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:22.784Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:22.786Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:22.786Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:22.787Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:22.880Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:22.880Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:22.880Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:22.993Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:23.081Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:28.983Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Gateway","TokenRateLimitPolicy","ConfigMap","HTTPRoute"],"eventTypes":{"create":2,"update":2}} {"level":"info","ts":"2026-06-10T17:21:29.089Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:29.184Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:29.184Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:29.185Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:29.281Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:29.379Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:29.390Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:29.612Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:29.684Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:30.781Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","AuthConfig","WasmPlugin","HTTPRoute","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"create":4,"update":7}} {"level":"info","ts":"2026-06-10T17:21:30.790Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:30.792Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:30.879Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:30.879Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:30.880Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:30.880Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:30.880Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:30.885Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:30.887Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:30.887Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:30.891Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:31.182Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:31.283Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:31.378Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig"],"eventTypes":{"update":1}} {"level":"error","ts":"2026-06-10T17:21:31.496Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:31.988Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthPolicy","TokenRateLimitPolicy","Limitador","ConfigMap"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:21:31.997Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:31.998Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:32.080Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:32.080Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:32.085Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:32.085Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:32.085Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:32.089Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:32.183Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:32.184Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:32.184Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:32.392Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:32.483Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:49.690Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["HTTPRoute","ConfigMap"],"eventTypes":{"create":1,"update":1}} {"level":"info","ts":"2026-06-10T17:21:49.984Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:49.984Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:49.984Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:49.989Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:49.991Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:50.084Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:50.087Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:50.506Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:50.586Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:51.781Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","Gateway","HTTPRoute","TokenRateLimitPolicy","AuthPolicy","WasmPlugin","Limitador","ConfigMap"],"eventTypes":{"create":5,"update":7}} {"level":"info","ts":"2026-06-10T17:21:51.792Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:51.794Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:51.881Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:51.881Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:51.886Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:51.985Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:51.985Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:52.078Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:52.082Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:52.084Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-10T17:21:52.183Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"failed to update limitador object","error":"Operation cannot be fulfilled on limitadors.limitador.kuadrant.io \"limitador\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:21:52.184Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:52.405Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:52.581Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:53.686Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","HTTPRoute","ConfigMap","AuthPolicy","TokenRateLimitPolicy","WasmPlugin"],"eventTypes":{"update":6}} {"level":"info","ts":"2026-06-10T17:21:53.696Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:53.698Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:53.783Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:53.783Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:53.787Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:53.981Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:53.982Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:54.083Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"updating limitador object","status":"processing"} {"level":"info","ts":"2026-06-10T17:21:54.084Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:54.086Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:54.179Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:54.307Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:54.482Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:55.082Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:21:55.092Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:55.094Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:55.105Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:55.105Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:55.183Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:55.185Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:55.187Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:55.187Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:55.385Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:55.481Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:56.084Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Limitador","ConfigMap","TokenRateLimitPolicy"],"eventTypes":{"update":4}} {"level":"info","ts":"2026-06-10T17:21:56.095Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"started"} {"level":"info","ts":"2026-06-10T17:21:56.098Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"applying limitador resource"} {"level":"info","ts":"2026-06-10T17:21:56.185Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"limitador resource applied successfully"} {"level":"info","ts":"2026-06-10T17:21:56.185Z","logger":"kuadrant-operator.LimitadorResourceReconciler","msg":"reconciling limitador resource","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:56.279Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"started"} {"level":"info","ts":"2026-06-10T17:21:56.282Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"limitador object is up to date, nothing to do","status":"skipping"} {"level":"info","ts":"2026-06-10T17:21:56.282Z","logger":"kuadrant-operator.LimitadorLimitsReconciler","msg":"Limitador limits reconciler","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:56.282Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:21:56.282Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:21:56.285Z","logger":"kuadrant-operator.LimitadorIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"limitador-limitador","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:21:56.596Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:21:56.680Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:42.987Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Authorino","ConfigMap"],"eventTypes":{"update":2}} {"level":"info","ts":"2026-06-10T17:23:43.085Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:23:43.094Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:23:43.094Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:23:43.185Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:43.193Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["Authorino"],"eventTypes":{"update":1}} {"level":"info","ts":"2026-06-10T17:23:43.283Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:23:43.285Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:23:43.285Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:23:43.294Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:45.284Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["ConfigMap","AuthConfig","AuthPolicy","Authorino"],"eventTypes":{"update":26}} {"level":"info","ts":"2026-06-10T17:23:45.384Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:23:45.387Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:23:45.389Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:23:45.389Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:46.212Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:23:46.282Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:46.378Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","Authorino"],"eventTypes":{"update":16}} {"level":"info","ts":"2026-06-10T17:23:46.478Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:23:46.486Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"error","ts":"2026-06-10T17:23:46.594Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:21:29Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:21:29Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:29Z"}],"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system","resourceVersion":"27606","uid":"06c2a346-4064-4e12-bd98-0d873edfec81"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:21:29Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:21:29Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.679Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:20:47Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system","resourceVersion":"29411","uid":"184f08cc-dee3-4977-b7b0-39f3a61c4023"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.687Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:21:19Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:19Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system","resourceVersion":"29398","uid":"0f3e4be8-f284-4d83-bb4c-578b0af9ef10"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.695Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:21:29Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:29Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system","resourceVersion":"29407","uid":"f781de7f-1fbe-4460-a521-c6937e59b6e0"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.704Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:21:19Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:19Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system","resourceVersion":"29396","uid":"b145d551-2bb7-47c1-992a-de5fe7eda2b7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.714Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:21:29Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:29Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system","resourceVersion":"29311","uid":"1ecd19ee-2893-4555-85ec-15975c1ab233"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.723Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-2"},"creationTimestamp":"2026-06-10T17:20:36Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:36Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system","resourceVersion":"29422","uid":"acedb917-5146-4602-8266-fc41977380c5"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.731Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:21:06Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system","resourceVersion":"29286","uid":"e739421a-5cbc-4bb4-9528-33e3eb7d6a59"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.739Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"opendatahub/maas-api-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:opendatahub/maas-api-route#rule-1"},"creationTimestamp":"2026-06-10T17:20:36Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:20:36Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:36Z"}],"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system","resourceVersion":"26572","uid":"67c6e565-b4cb-4086-8c9f-74282af3057d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:20:36Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:20:36Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.748Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:20:47Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:20:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:47Z"}],"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system","resourceVersion":"26826","uid":"f17ec2de-d0e5-42eb-9162-55452807355c"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:20:47Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:20:47Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.758Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"keycloak-system/keycloak-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:keycloak-system/keycloak-route#rule-1"},"creationTimestamp":"2026-06-10T17:20:36Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:36Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system","resourceVersion":"29388","uid":"ac8813ea-cfd8-44c2-8f4c-ffc6463f20ad"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.765Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:21:50Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:21:50Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:50Z"}],"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system","resourceVersion":"27927","uid":"1a0fc0e2-a2ad-4cee-916c-17113ba49862"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:21:50Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:21:50Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.774Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:20:40Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:40Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system","resourceVersion":"29313","uid":"92ebb264-5b07-464e-b284-9104f06c3ffb"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.782Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:21:06Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system","resourceVersion":"29402","uid":"6cfe5c04-d3e9-44b2-99fb-89d648377b1b"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.790Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:20:47Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system","resourceVersion":"29414","uid":"a80a9e10-07f1-4d4c-828e-d1b355d50c6e"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.798Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:21:06Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system","resourceVersion":"29392","uid":"75cbf894-723d-4464-8a60-5bf13b64aba4"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.807Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:21:19Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:19Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system","resourceVersion":"29393","uid":"c88a8959-1150-4a0e-a4c6-5206ea39ce02"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.817Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/facebook-opt-125m-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:21:29Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:29Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system","resourceVersion":"29300","uid":"e87efdf1-7337-4048-83d7-90aad94e77de"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.825Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-unconfigured-facebook-opt-125m-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:21:19Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:19Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system","resourceVersion":"29404","uid":"d2315e9f-63f8-4350-9b0a-3560d003645d"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.834Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:20:40Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:40Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system","resourceVersion":"29416","uid":"8e66f371-ecf2-4381-9e18-d32675cfdf13"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.842Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:21:50Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:50Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system","resourceVersion":"29403","uid":"ec87232c-b1eb-4683-8ca0-fe21f5e75f15"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.850Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-simulated-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-simulated-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:20:47Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:47Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system","resourceVersion":"29418","uid":"8da361a5-45ad-4228-8f32-9125cc9fcebf"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.859Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-trlp-test-simulated-kserve-route","httpRouteRule":"rule-1","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-trlp-test-simulated-kserve-route#rule-1"},"creationTimestamp":"2026-06-10T17:21:06Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:06Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system","resourceVersion":"29307","uid":"8f93ed1c-38ca-4d2d-b5e2-d02bf4fb22b8"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.867Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:21:50Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:50Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system","resourceVersion":"29415","uid":"0e7b3aad-e5e5-43f9-878a-c7624654c5c5"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.875Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/premium-simulated-simulated-premium-kserve-route","httpRouteRule":"rule-2","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/premium-simulated-simulated-premium-kserve-route#rule-2"},"creationTimestamp":"2026-06-10T17:21:49Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:21:49Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:44Z"}],"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system","resourceVersion":"29427","uid":"5efe2be2-3509-49bd-bb2e-e0f93d021944"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:44Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.884Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-4","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-4"},"creationTimestamp":"2026-06-10T17:20:41Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system","resourceVersion":"29368","uid":"23db4469-f4a9-4fd8-a4c2-1fba243914d7"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.891Z","logger":"kuadrant-operator.AuthConfigsReconciler","msg":"failed to update authconfig object","httpRoute":"llm/e2e-distinct-2-simulated-kserve-route","httpRouteRule":"rule-3","authconfig":{"apiVersion":"authorino.kuadrant.io/v1beta3","kind":"AuthConfig","metadata":{"annotations":{"HTTPRouteRule.gateway.networking.k8s.io":"httproute.gateway.networking.k8s.io:llm/e2e-distinct-2-simulated-kserve-route#rule-3"},"creationTimestamp":"2026-06-10T17:20:41Z","generation":1,"labels":{"kuadrant.io/auth":"true","kuadrant.io/managed":"true"},"managedFields":[{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:HTTPRouteRule.gateway.networking.k8s.io":{}},"f:labels":{".":{},"f:kuadrant.io/auth":{},"f:kuadrant.io/managed":{}}},"f:spec":{".":{},"f:authentication":{".":{},"f:api-keys":{".":{},"f:credentials":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:oidc-identities":{".":{},"f:credentials":{},"f:jwt":{".":{},"f:issuerUrl":{},"f:ttl":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:openshift-identities":{".":{},"f:credentials":{},"f:kubernetesTokenReview":{".":{},"f:audiences":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:authorization":{".":{},"f:auth-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:require-group-membership":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}},"f:subscription-valid":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{},"f:when":{}},"f:tenant-gateway-isolation":{".":{},"f:metrics":{},"f:opa":{".":{},"f:allValues":{},"f:rego":{}},"f:priority":{}}},"f:hosts":{},"f:metadata":{".":{},"f:apiKeyValidation":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}},"f:subscription-info":{".":{},"f:cache":{".":{},"f:key":{".":{},"f:selector":{}},"f:ttl":{}},"f:http":{".":{},"f:body":{".":{},"f:expression":{}},"f:contentType":{},"f:credentials":{},"f:method":{},"f:url":{}},"f:metrics":{},"f:priority":{},"f:when":{}}},"f:response":{".":{},"f:success":{".":{},"f:dynamicMetadata":{".":{},"f:identity":{".":{},"f:json":{".":{},"f:properties":{".":{},"f:groups":{".":{},"f:expression":{}},"f:groups_str":{".":{},"f:expression":{}},"f:keyId":{".":{},"f:expression":{}},"f:selected_subscription":{".":{},"f:expression":{}},"f:selected_subscription_key":{".":{},"f:expression":{}},"f:subscription_error":{".":{},"f:expression":{}},"f:subscription_error_message":{".":{},"f:expression":{}},"f:subscription_info":{".":{},"f:expression":{}},"f:userid":{".":{},"f:expression":{}}}},"f:metrics":{},"f:priority":{}}},"f:headers":{".":{},"f:X-MaaS-Group":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Group-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Subscription":{".":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username":{".":{},"f:metrics":{},"f:plain":{".":{},"f:selector":{}},"f:priority":{},"f:when":{}},"f:X-MaaS-Username-Token":{".":{},"f:key":{},"f:metrics":{},"f:plain":{".":{},"f:expression":{}},"f:priority":{},"f:when":{}}}},"f:unauthenticated":{".":{},"f:code":{},"f:message":{".":{},"f:value":{}}},"f:unauthorized":{".":{},"f:body":{".":{},"f:expression":{}},"f:code":{},"f:headers":{".":{},"f:content-type":{".":{},"f:value":{}},"f:x-ext-auth-reason":{".":{},"f:expression":{}}}}}}},"manager":"manager","operation":"Update","time":"2026-06-10T17:20:41Z"},{"apiVersion":"authorino.kuadrant.io/v1beta3","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{},"f:summary":{".":{},"f:festivalWristbandEnabled":{},"f:hostsReady":{},"f:numAuthorizationPolicies":{},"f:numHostsReady":{},"f:numIdentitySources":{},"f:numMetadataSources":{},"f:numResponseItems":{},"f:ready":{}}}},"manager":"authorino","operation":"Update","subresource":"status","time":"2026-06-10T17:23:43Z"}],"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system","resourceVersion":"29395","uid":"2352e6bc-2e18-4c3c-a519-c774062911f0"},"spec":{"authentication":{"api-keys":{"credentials":{},"plain":{"selector":"request.headers.authorization"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\") && request.headers.authorization.matches(\"^Bearer **** sk-oai-\")"}]}},"authorization":{"auth-valid":{"cache":{"key":{"selector":"\"api-key|\" + request.headers.authorization.replace(\"Bearer **** \"\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}"}},"require-group-membership":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n"}},"subscription-valid":{"cache":{"key":{"selector":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"opa":{"rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}"},"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]},"tenant-gateway-isolation":{"opa":{"rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }"}}},"hosts":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"metadata":{"apiKeyValidation":{"cache":{"key":{"selector":"request.headers.authorization.replace(\"Bearer **** \"\")","value":null},"ttl":60},"http":{"body":{"expression":"{\"key\": request.headers.authorization.replace(\"Bearer **** \"\")}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate"},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.userId : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))) + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\") + \"|\" + ((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")) + \"|\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))","value":null},"ttl":60},"http":{"body":{"expression":"{\n \"groups\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups),\n \"username\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)),\n \"requestedSubscription\": (has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\"),\n \"requestedModel\": (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\"))\n}","value":null},"contentType":"application/json","credentials":{},"method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select"},"priority":1,"when":[{"predicate":"request.path.startsWith(\"/llm/\") || \"x-gateway-model-name\" in request.headers"}]}},"response":{"success":{"dynamicMetadata":{"identity":{"json":{"properties":{"groups":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)","value":null},"groups_str":{"expression":"((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : (has(auth.identity.groups) ? auth.identity.groups : auth.identity.user.groups)).join(\",\")","value":null},"keyId":{"expression":"has(auth.metadata.apiKeyValidation) ? auth.metadata.apiKeyValidation.keyId : \"\"","value":null},"selected_subscription":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].name : \"\"","value":null},"selected_subscription_key":{"expression":"has(auth.metadata[\"subscription-info\"].namespace) && has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"].namespace + \"/\" + auth.metadata[\"subscription-info\"].name + \"@\" + (request.path.startsWith(\"/llm/\") ? request.path.split(\"/\").filter(x, x != \"\")[0] + \"/\" + request.path.split(\"/\").filter(x, x != \"\")[1] : (\"x-gateway-model-name\" in request.headers ? request.headers[\"x-gateway-model-name\"] : \"\")) : \"\"","value":null},"subscription_error":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"\"","value":null},"subscription_error_message":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"\"","value":null},"subscription_info":{"expression":"has(auth.metadata[\"subscription-info\"].name) ? auth.metadata[\"subscription-info\"] : {}","value":null},"userid":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : (has(auth.identity.preferred_username) ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username))","value":null}}},"metrics":true}},"headers":{"X-MaaS-Group":{"plain":{"selector":"auth.metadata.apiKeyValidation.groups.@tostr","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** sk-oai-\")"}]},"X-MaaS-Subscription":{"plain":{"expression":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : (\"x-maas-subscription\" in request.headers ? request.headers[\"x-maas-subscription\"] : \"\")","value":null},"when":[{"predicate":"(has(auth.metadata) && has(auth.metadata.apiKeyValidation) && auth.metadata.apiKeyValidation.subscription != \"\") || \"x-maas-subscription\" in request.headers"}]},"X-MaaS-Username":{"plain":{"selector":"auth.metadata.apiKeyValidation.username","value":null},"when":[{"operator":"matches","selector":"request.headers.authorization","value":"^Bearer **** ? auth.identity.preferred_username : (has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)","value":null},"priority":1,"when":[{"predicate":"!request.headers.authorization.startsWith(\"Bearer **** required"}},"unauthorized":{"body":{"expression":"has(auth.metadata[\"subscription-info\"].message) ? auth.metadata[\"subscription-info\"].message : \"Access denied\"","value":null},"code":403,"headers":{"content-type":{"value":"text/plain"},"x-ext-auth-reason":{"expression":"has(auth.metadata[\"subscription-info\"].error) ? auth.metadata[\"subscription-info\"].error : \"unauthorized\"","value":null}}}}},"status":{"conditions":[{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"HostsLinked","status":"True","type":"Available"},{"lastTransitionTime":"2026-06-10T17:23:43Z","reason":"Reconciled","status":"True","type":"Ready"}],"summary":{"festivalWristbandEnabled":false,"hostsReady":["35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"],"numAuthorizationPolicies":4,"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numResponseItems":6,"ready":true}}},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"error","ts":"2026-06-10T17:23:46.904Z","logger":"kuadrant-operator.AuthPolicyStatusUpdater","msg":"unable to update status for authpolicy","name":"maas-gateway-auth","namespace":"openshift-ingress","error":"Operation cannot be fulfilled on authpolicies.kuadrant.io \"maas-gateway-auth\": the object has been modified; please apply your changes to the latest version and try again"} {"level":"info","ts":"2026-06-10T17:23:46.904Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:23:46.913Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:47.881Z","logger":"kuadrant-operator.event logger","msg":"new events","resources":["AuthConfig","AuthPolicy","Authorino","ConfigMap"],"eventTypes":{"update":30}} {"level":"info","ts":"2026-06-10T17:23:48.086Z","logger":"kuadrant-operator.AuthorinoIstioIntegrationReconciler","msg":"get object","kind":"v1.Deployment","name":"authorino","namespace":"kuadrant-system"} {"level":"info","ts":"2026-06-10T17:23:48.086Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"started"} {"level":"info","ts":"2026-06-10T17:23:48.086Z","logger":"kuadrant-operator.IstioExtensionReconciler.buildWasmConfigs","msg":"build Wasm configuration","status":"completed"} {"level":"info","ts":"2026-06-10T17:23:48.090Z","logger":"kuadrant-operator.AuthorinoReconciler","msg":"authorino resource applied successfully"} {"level":"info","ts":"2026-06-10T17:23:48.302Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"started"} {"level":"info","ts":"2026-06-10T17:23:48.381Z","logger":"kuadrant-operator.KuadrantStatusUpdater","msg":"reconciling kuadrant status","status":"completed"}