self = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7f2370520730> def test_reject_key_for_unreconciled_subscription(self): """ API key creation is rejected for unreconciled subscription (empty phase). Note: Temporarily sets webhook failurePolicy to Ignore to allow creating resources while controller is down, then restores to Fail. """ ns = _ns() subscription_name = "e2e-apikey-unreconciled-sub" auth_name = "e2e-apikey-unreconciled-auth" sa_name = "e2e-apikey-unreconciled-sa" webhook_name = "maas-validating-webhook-configuration" try: # Create service account and get token oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) # Temporarily set webhook failurePolicy to Ignore # This allows creates to succeed when controller/webhook is unavailable # Find webhook indices dynamically by name to avoid brittleness result = subprocess.run( ["oc", "get", "validatingwebhookconfiguration", webhook_name, "-o", "json"], capture_output=True, text=True, check=True ) webhook_config = json.loads(result.stdout) patch_ops = [] for idx, webhook in enumerate(webhook_config.get("webhooks", [])): if webhook.get("name") in ["vmaassubscription.kb.io", "vmaasauthpolicy.kb.io"]: patch_ops.append({"op": "replace", "path": f"/webhooks/{idx}/failurePolicy", "value": "Ignore"}) subprocess.run( ["oc", "patch", "validatingwebhookconfiguration", webhook_name, "--type=json", "-p", json.dumps(patch_ops)], capture_output=True, text=True, check=True ) # Scale down controller to prevent reconciliation _scale_controller_down() # Create resources (webhook unavailable but Ignore policy allows creates) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) # Verify subscription is unreconciled (empty phase) cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase", "") assert phase == "", f"Expected empty phase, got: {phase}" log.info("✅ Subscription is unreconciled (empty phase)") # Try to create API key (should fail with 400) response = requests.post( f"{_maas_api_url()}/v1/api-keys", headers={ "Authorization": f"Bearer {oc_token}", "Content-Type": "application/json" }, json={ "name": "unreconciled-sub-test", "subscription": subscription_name }, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert response.status_code == 400, \ f"Expected 400 for unreconciled subscription, got {response.status_code}: {response.text}" E AssertionError: Expected 400 for unreconciled subscription, got 500: E assert 500 == 400 E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1408: AssertionErrorself = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7f2370520cd0> api_keys_base_url = 'https://maas.apps.64907ff2-128a-4188-ac6f-f41cdc0437ab.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjllQjJJSzRyM3JOd3hSRVd3ZC00SHBwV1JRUXRkdjk3VjVsRl9zdWx1V2cifQ.e...CmZDdc25Pa6QziyFScLhnPLTkrGIq7kje2YqtDsM7-2hfhEiKFD8E9WKbPwJk1WfVcRcnmux975Oh0SJQ', 'Content-Type': 'application/json'} def test_search_filters_by_subscription(self, api_keys_base_url: str, headers: dict): """Search with subscription filter returns only keys bound to that subscription.""" sub_a = f"e2e-filter-sub-a-{os.urandom(4).hex()}" sub_b = f"e2e-filter-sub-b-{os.urandom(4).hex()}" ns = _ns() sa_name = f"e2e-filter-sa-{os.urandom(4).hex()}" key_ids_a = [] key_ids_b = [] try: # Create one SA authorized for both subscriptions so that # exclusion in search results is attributable to the subscription # filter, not user-scoping. oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) sa_headers = {"Authorization": f"Bearer {oc_token}", "Content-Type": "application/json"} _create_test_auth_policy(f"{sub_a}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_a, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_a, namespace=ns) _create_test_auth_policy(f"{sub_b}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_b, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_b, namespace=ns) # Create 2 keys bound to sub_a for i in range(2): r = requests.post( api_keys_base_url, headers=sa_headers, json={"name": f"e2e-filter-a-{i}", "subscription": sub_a}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key for {sub_a}: {r.text}" E AssertionError: Failed to create key for e2e-filter-sub-a-e7738f3e: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1510: AssertionErrorself = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7f2370520040> api_keys_base_url = 'https://maas.apps.64907ff2-128a-4188-ac6f-f41cdc0437ab.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjllQjJJSzRyM3JOd3hSRVd3ZC00SHBwV1JRUXRkdjk3VjVsRl9zdWx1V2cifQ.e...CmZDdc25Pa6QziyFScLhnPLTkrGIq7kje2YqtDsM7-2hfhEiKFD8E9WKbPwJk1WfVcRcnmux975Oh0SJQ', 'Content-Type': 'application/json'} def test_search_without_subscription_returns_all(self, api_keys_base_url: str, headers: dict): """Search without subscription filter returns keys across all subscriptions.""" key_ids = [] try: # Create keys with explicit subscription binding for i in range(2): r = requests.post( api_keys_base_url, headers=headers, json={"name": f"e2e-nofilter-{i}", "subscription": SIMULATOR_SUBSCRIPTION}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key: {r.text}" E AssertionError: Failed to create key: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1577: AssertionError@pytest.fixture(scope="module") def api_key(): """Create an API key for tests.""" > key_id, key = _create_ns_api_key("e2e-ns-scoping-key") test/e2e/tests/test_namespace_scoping.py:185: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ name = 'e2e-ns-scoping-key' def _create_ns_api_key(name: str = None) -> tuple[str, str]: """Create an API key and return (key_id, plaintext_key). Retries on empty 403 from gateway propagation delay (Envoy may not have loaded the AuthPolicy yet). """ token = _get_token() url = f"{_maas_api_url()}/v1/api-keys" key_name = name or f"e2e-ns-test-{uuid.uuid4().hex[:8]}" retries = 6 delay = 5 for attempt in range(1, retries + 1): r = requests.post( url, headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"name": key_name}, timeout=TIMEOUT, verify=TLS_VERIFY, ) if r.status_code == 403 and not r.text.strip(): if attempt < retries: log.info("Gateway returned empty 403 (attempt %d/%d), retrying in %ds...", attempt, retries, delay) time.sleep(delay) continue break if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_namespace_scoping.py:91: RuntimeError@pytest.fixture(scope="module") def api_key(): """Create an API key for tests.""" > key_id, key = _create_ns_api_key("e2e-ns-scoping-key") test/e2e/tests/test_namespace_scoping.py:185: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ name = 'e2e-ns-scoping-key' def _create_ns_api_key(name: str = None) -> tuple[str, str]: """Create an API key and return (key_id, plaintext_key). Retries on empty 403 from gateway propagation delay (Envoy may not have loaded the AuthPolicy yet). """ token = _get_token() url = f"{_maas_api_url()}/v1/api-keys" key_name = name or f"e2e-ns-test-{uuid.uuid4().hex[:8]}" retries = 6 delay = 5 for attempt in range(1, retries + 1): r = requests.post( url, headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"name": key_name}, timeout=TIMEOUT, verify=TLS_VERIFY, ) if r.status_code == 403 and not r.text.strip(): if attempt < retries: log.info("Gateway returned empty 403 (attempt %d/%d), retrying in %ds...", attempt, retries, delay) time.sleep(delay) continue break if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_namespace_scoping.py:91: RuntimeError